added helmet for better standard of protection across the board

NodeBB · Feb 21, 2018 · 98b0bdc7e10dcaa524ca9476ee5262242d2a6ebc · 98b0bdc
1 parent c7b73b4
commit 98b0bdc7e10dcaa524ca9476ee5262242d2a6ebc
Unified Split

Showing with 4 additions and 1 deletion.

+1 −0 install/package.json

+0 −1 src/middleware/headers.js

+3 −0 src/webserver.js
diff --git a/install/package.json b/install/package.json
@@ -43,6 +43,7 @@
        "express-session": "^1.15.6",
        "express-useragent": "1.0.8",
        "graceful-fs": "^4.1.11",
+        "helmet": "^3.11.0",
        "html-to-text": "3.3.0",
        "ipaddr.js": "^1.5.4",
        "jimp": "0.2.28",
diff --git a/src/middleware/headers.js b/src/middleware/headers.js
@@ -11,7 +11,6 @@ module.exports = function (middleware) {
 			'X-Frame-Options': meta.config['allow-from-uri'] ? 'ALLOW-FROM ' + encodeURI(meta.config['allow-from-uri']) : 'SAMEORIGIN',
 			'Access-Control-Allow-Methods': encodeURI(meta.config['access-control-allow-methods'] || ''),
 			'Access-Control-Allow-Headers': encodeURI(meta.config['access-control-allow-headers'] || ''),
-			'Referrer-Policy': 'strict-origin-when-cross-origin',	// consider using helmet?
 		};

 		if (meta.config['access-control-allow-origin']) {
diff --git a/src/webserver.js b/src/webserver.js
@@ -17,6 +17,7 @@ var cookieParser = require('cookie-parser');
 var session = require('express-session');
 var useragent = require('express-useragent');
 var favicon = require('serve-favicon');
+var helmet = require('helmet');

 var db = require('./database');
 var file = require('./file');
@@ -171,6 +172,8 @@ function setupExpressApp(app, callback) {
 		saveUninitialized: true,
 	}));

+	app.use(helmet());
+	app.use(helmet.referrerPolicy({ policy: 'strict-origin-when-cross-origin' }));
 	app.use(middleware.addHeaders);
 	app.use(middleware.processRender);
 	auth.initialize(app, middleware);