fix: add optional helmet security headers

Allow users to enable the helmet middleware to enable security headers by default. https://github.com/helmetjs/helmet
2025-02-04 00:18:01 +01:00 · 2020-09-01 21:19:46 +02:00 · 2020-09-01 21:19:46 +02:00 · a870c12138
commit a870c12138
parent fd9a82fb9e
5 changed files with 32 additions and 0 deletions
--- a/lib/app.js
+++ b/lib/app.js
@ -1,6 +1,7 @@
 'use strict';

 const express = require('express');
+
 const compression = require('compression');
 const favicon = require('serve-favicon');
 const cookieParser = require('cookie-parser');
@ -12,6 +13,7 @@ const responseTime = require('./middleware/response-time');
 const requestLogger = require('./middleware/request-logger');
 const simpleAuthentication = require('./middleware/simple-authentication');
 const noAuthentication = require('./middleware/no-authentication');
+const helmet = require('./middleware/helmet');

 module.exports = function(config) {
    const app = express();
@ -33,6 +35,7 @@ module.exports = function(config) {
    app.use(unleashSession(config));
    app.use(responseTime(config));
    app.use(requestLogger(config));
+    app.use(helmet(config));

    if (config.publicFolder) {
        app.use(favicon(path.join(config.publicFolder, 'favicon.ico')));
--- a/lib/middleware/helmet.js
+++ b/lib/middleware/helmet.js
@ -0,0 +1,22 @@
+const helmet = require('helmet');
+
+module.exports = function(config) {
+    if (config.enableHelmet) {
+        return helmet({
+            contentSecurityPolicy: {
+                directives: {
+                    defaultSrc: [
+                        "'self'",
+                        'fonts.googleapis.com',
+                        'fonts.gstatic.com',
+                        'data:',
+                        'gravatar.com',
+                    ],
+                },
+            },
+        });
+    }
+    return (req, res, next) => {
+        next();
+    };
+};
--- a/lib/options.js
+++ b/lib/options.js
@ -56,6 +56,7 @@ function defaultOptions() {
        keepAliveTimeout: 60 * 1000,
        headersTimeout: 61 * 1000,
        version,
+        enableHelmet: process.env.ENABLE_HELMET || false,
    };
 }

--- a/package.json
+++ b/package.json
@ -74,6 +74,7 @@
    "errorhandler": "^1.5.1",
    "express": "^4.17.1",
    "gravatar-url": "^3.1.0",
+    "helmet": "^4.1.0",
    "joi": "^17.2.0",
    "js-yaml": "^3.14.0",
    "knex": "0.20.10",
--- a/yarn.lock
+++ b/yarn.lock
@ -2559,6 +2559,11 @@ hasha@^5.0.0:
    is-stream "^2.0.0"
    type-fest "^0.8.0"

+helmet@^4.1.0:
+  version "4.1.0"
+  resolved "https://registry.yarnpkg.com/helmet/-/helmet-4.1.0.tgz#6f3a34e8f18502d6e52518428b23aa4ddaf84b38"
+  integrity sha512-KWy75fYN8hOG2Rhl8e5B3WhOzb0by1boQum85TiddIE9iu6gV+TXbUjVC17wfej0o/ZUpqB9kxM0NFCZRMzf+Q==
+
 homedir-polyfill@^1.0.1:
  version "1.0.3"
  resolved "https://registry.yarnpkg.com/homedir-polyfill/-/homedir-polyfill-1.0.3.tgz#743298cef4e5af3e194161fbadcc2151d3a058e8"