import { LoggerService } from '@nestjs/common'; import { NestFactory } from '@nestjs/core'; import express from 'express'; import helmet from 'helmet'; import { WINSTON_MODULE_NEST_PROVIDER } from 'nest-winston'; import { AppModule } from './app.module'; async function bootstrap() { const server = express(); server.set('trust proxy', true); const app = await NestFactory.create(AppModule); // const logger = app.get(WINSTON_MODULE_NEST_PROVIDER); const logger = app.get(WINSTON_MODULE_NEST_PROVIDER); app.useLogger(logger); //app.use('/bizmatch/payment/webhook', bodyParser.raw({ type: 'application/json' })); // Serve static files from pictures directory app.use('/pictures', express.static('pictures')); app.setGlobalPrefix('bizmatch'); app.enableCors({ origin: '*', methods: 'GET,HEAD,PUT,PATCH,POST,DELETE', allowedHeaders: 'Content-Type, Accept, Authorization, x-hide-loading', }); // Security Headers with helmet app.use( helmet({ contentSecurityPolicy: { directives: { defaultSrc: ["'self'"], scriptSrc: ["'self'", "'unsafe-inline'", "'unsafe-eval'", "https://fonts.googleapis.com"], styleSrc: ["'self'", "'unsafe-inline'", "https://fonts.googleapis.com"], imgSrc: ["'self'", "data:", "https:", "blob:"], connectSrc: ["'self'", "https://api.bizmatch.net", "https://*.firebaseapp.com", "https://*.googleapis.com"], fontSrc: ["'self'", "https://fonts.gstatic.com", "data:"], objectSrc: ["'none'"], mediaSrc: ["'self'"], frameSrc: ["'self'"], }, }, crossOriginEmbedderPolicy: false, // Disable for now to avoid breaking existing functionality hsts: { maxAge: 31536000, includeSubDomains: true, preload: true, }, frameguard: { action: 'sameorigin', // Allow same-origin framing }, crossOriginOpenerPolicy: { policy: 'same-origin-allow-popups' }, // Allow popups for OAuth crossOriginResourcePolicy: { policy: 'cross-origin' }, // Allow cross-origin resources }), ); await app.listen(process.env.PORT || 3001); } bootstrap();