2019-06-03 21:01:42 +03:00
|
|
|
|
let helmet = require('helmet');
|
|
|
|
|
|
|
|
|
|
|
|
class HelmetMiddleware {
|
|
|
|
|
|
|
|
|
|
|
|
static appendTo(app) {
|
|
|
|
|
|
|
|
|
|
|
|
// Our api use only internal sources
|
|
|
|
|
|
// If someone tries to execute an external resource on our api, it wont be executed
|
2019-06-07 10:14:49 +03:00
|
|
|
|
// app.use(helmet.contentSecurityPolicy({
|
|
|
|
|
|
// directives: {
|
|
|
|
|
|
// defaultSrc: ["'self'"]
|
|
|
|
|
|
// }
|
|
|
|
|
|
// }));
|
2019-06-03 21:01:42 +03:00
|
|
|
|
|
|
|
|
|
|
// Expect-CT protect us from man-in-the-middle-attack over HTTPS
|
|
|
|
|
|
// It enforce browser to check in CT public log if a requester has a valid certificate
|
|
|
|
|
|
// TODO: Аdd report endpoint for monitoring if somebody tries to hack/mislead us
|
|
|
|
|
|
app.use(helmet.expectCt({
|
|
|
|
|
|
enforce: true,
|
|
|
|
|
|
maxAge: 60 // 1 minute
|
|
|
|
|
|
}));
|
|
|
|
|
|
|
|
|
|
|
|
/* Default setup
|
|
|
|
|
|
|
|
|
|
|
|
1. Turn DNS prefetching off -> does not convert domain to address
|
|
|
|
|
|
example.com in 93.184.216.34
|
|
|
|
|
|
2. Nobody except us can put our api in an iframe
|
|
|
|
|
|
3. X-Powered-By header is hidden and now express is not shown in the requests
|
|
|
|
|
|
4. Tells browsers to stick with HTTPS and never visit the insecure HTTP version
|
|
|
|
|
|
5. Untrusted HTML files could not be executed in the context of our api
|
|
|
|
|
|
This is because Internet Explorer functionality...
|
|
|
|
|
|
6. Checks that the sending content-type match exactly the format of sending data
|
|
|
|
|
|
|
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
|
|
app.use(helmet());
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
module.exports = HelmetMiddleware;
|
