From a870c12138ab1e1fc6265b87cccba7998443057f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ivar=20Conradi=20=C3=98sthus?= Date: Tue, 1 Sep 2020 21:19:46 +0200 Subject: [PATCH] fix: add optional helmet security headers Allow users to enable the helmet middleware to enable security headers by default. https://github.com/helmetjs/helmet --- lib/app.js | 3 +++ lib/middleware/helmet.js | 22 ++++++++++++++++++++++ lib/options.js | 1 + package.json | 1 + yarn.lock | 5 +++++ 5 files changed, 32 insertions(+) create mode 100644 lib/middleware/helmet.js diff --git a/lib/app.js b/lib/app.js index 28c45b23d4..3fbcbf4fc8 100644 --- a/lib/app.js +++ b/lib/app.js @@ -1,6 +1,7 @@ 'use strict'; const express = require('express'); + const compression = require('compression'); const favicon = require('serve-favicon'); const cookieParser = require('cookie-parser'); @@ -12,6 +13,7 @@ const responseTime = require('./middleware/response-time'); const requestLogger = require('./middleware/request-logger'); const simpleAuthentication = require('./middleware/simple-authentication'); const noAuthentication = require('./middleware/no-authentication'); +const helmet = require('./middleware/helmet'); module.exports = function(config) { const app = express(); @@ -33,6 +35,7 @@ module.exports = function(config) { app.use(unleashSession(config)); app.use(responseTime(config)); app.use(requestLogger(config)); + app.use(helmet(config)); if (config.publicFolder) { app.use(favicon(path.join(config.publicFolder, 'favicon.ico'))); diff --git a/lib/middleware/helmet.js b/lib/middleware/helmet.js new file mode 100644 index 0000000000..e47f5ece66 --- /dev/null +++ b/lib/middleware/helmet.js @@ -0,0 +1,22 @@ +const helmet = require('helmet'); + +module.exports = function(config) { + if (config.enableHelmet) { + return helmet({ + contentSecurityPolicy: { + directives: { + defaultSrc: [ + "'self'", + 'fonts.googleapis.com', + 'fonts.gstatic.com', + 'data:', + 'gravatar.com', + ], + }, + }, + }); + } + return (req, res, next) => { + next(); + }; +}; diff --git a/lib/options.js b/lib/options.js index cc2414bc9f..fef5dcb0c4 100644 --- a/lib/options.js +++ b/lib/options.js @@ -56,6 +56,7 @@ function defaultOptions() { keepAliveTimeout: 60 * 1000, headersTimeout: 61 * 1000, version, + enableHelmet: process.env.ENABLE_HELMET || false, }; } diff --git a/package.json b/package.json index 2ffd2eeb76..9ffd7fcf4d 100644 --- a/package.json +++ b/package.json @@ -74,6 +74,7 @@ "errorhandler": "^1.5.1", "express": "^4.17.1", "gravatar-url": "^3.1.0", + "helmet": "^4.1.0", "joi": "^17.2.0", "js-yaml": "^3.14.0", "knex": "0.20.10", diff --git a/yarn.lock b/yarn.lock index 84eca19b5d..212ab47e3a 100644 --- a/yarn.lock +++ b/yarn.lock @@ -2559,6 +2559,11 @@ hasha@^5.0.0: is-stream "^2.0.0" type-fest "^0.8.0" +helmet@^4.1.0: + version "4.1.0" + resolved "https://registry.yarnpkg.com/helmet/-/helmet-4.1.0.tgz#6f3a34e8f18502d6e52518428b23aa4ddaf84b38" + integrity sha512-KWy75fYN8hOG2Rhl8e5B3WhOzb0by1boQum85TiddIE9iu6gV+TXbUjVC17wfej0o/ZUpqB9kxM0NFCZRMzf+Q== + homedir-polyfill@^1.0.1: version "1.0.3" resolved "https://registry.yarnpkg.com/homedir-polyfill/-/homedir-polyfill-1.0.3.tgz#743298cef4e5af3e194161fbadcc2151d3a058e8"