dap-ps/discover
1
0
Fork 0
mirror of https://github.com/dap-ps/discover.git synced 2025-02-12 17:26:31 +00:00
Code Issues Projects Releases Wiki Activity
discover/back-end/middlewares/globals/helmet.js
Kamen Stoykov 8249c59b0a single server
2019-06-07 10:14:49 +03:00

40 lines
1.4 KiB
JavaScript
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

let helmet = require('helmet');
class HelmetMiddleware {
static appendTo(app) {
// Our api use only internal sources
// If someone tries to execute an external resource on our api, it wont be executed
// app.use(helmet.contentSecurityPolicy({
// directives: {
// defaultSrc: ["'self'"]
// }
// }));
// Expect-CT protect us from man-in-the-middle-attack over HTTPS
// It enforce browser to check in CT public log if a requester has a valid certificate
// TODO: Аdd report endpoint for monitoring if somebody tries to hack/mislead us
app.use(helmet.expectCt({
enforce: true,
maxAge: 60 // 1 minute
}));
/* Default setup
1. Turn DNS prefetching off -> does not convert domain to address
example.com in 93.184.216.34
2. Nobody except us can put our api in an iframe
3. X-Powered-By header is hidden and now express is not shown in the requests
4. Tells browsers to stick with HTTPS and never visit the insecure HTTP version
5. Untrusted HTML files could not be executed in the context of our api
This is because Internet Explorer functionality...
6. Checks that the sending content-type match exactly the format of sending data
*/
app.use(helmet());
}
}
module.exports = HelmetMiddleware;
Reference in New Issue View Git Blame Copy Permalink