mirror of
https://github.com/dap-ps/discover.git
synced 2025-02-25 07:25:33 +00:00
40 lines
1.4 KiB
JavaScript
40 lines
1.4 KiB
JavaScript
|
let helmet = require('helmet');
|
|||
|
|
|
|||
|
|
class HelmetMiddleware {
|
|||
|
|
|
|||
|
|
static appendTo(app) {
|
|||
|
|
|
|||
|
|
// Our api use only internal sources
|
|||
|
|
// If someone tries to execute an external resource on our api, it wont be executed
|
|||
|
|
app.use(helmet.contentSecurityPolicy({
|
|||
|
|
directives: {
|
|||
|
|
defaultSrc: ["'self'"]
|
|||
|
|
}
|
|||
|
|
}));
|
|||
|
|
|
|||
|
|
// Expect-CT protect us from man-in-the-middle-attack over HTTPS
|
|||
|
|
// It enforce browser to check in CT public log if a requester has a valid certificate
|
|||
|
|
// TODO: Аdd report endpoint for monitoring if somebody tries to hack/mislead us
|
|||
|
|
app.use(helmet.expectCt({
|
|||
|
|
enforce: true,
|
|||
|
|
maxAge: 60 // 1 minute
|
|||
|
|
}));
|
|||
|
|
|
|||
|
|
/* Default setup
|
|||
|
|
|
|||
|
|
1. Turn DNS prefetching off -> does not convert domain to address
|
|||
|
|
example.com in 93.184.216.34
|
|||
|
|
2. Nobody except us can put our api in an iframe
|
|||
|
|
3. X-Powered-By header is hidden and now express is not shown in the requests
|
|||
|
|
4. Tells browsers to stick with HTTPS and never visit the insecure HTTP version
|
|||
|
|
5. Untrusted HTML files could not be executed in the context of our api
|
|||
|
|
This is because Internet Explorer functionality...
|
|||
|
|
6. Checks that the sending content-type match exactly the format of sending data
|
|||
|
|
|
|||
|
|
*/
|
|||
|
|
|
|||
|
|
app.use(helmet());
|
|||
|
|
}
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
module.exports = HelmetMiddleware;
|