feat(core): Setup helmet.js for setting security headers

n8n-io · Apr 3, 2024 · bdc1a34 · bdc1a34
1 parent fe33e3e
commit bdc1a34
Show file tree

Hide file tree

Showing 4 changed files with 28 additions and 3 deletions.
diff --git a/packages/cli/package.json b/packages/cli/package.json
@@ -130,6 +130,7 @@
     "formidable": "3.5.1",
     "google-timezones-json": "1.1.0",
     "handlebars": "4.7.8",
+    "helmet": "7.1.0",
     "infisical-node": "1.3.0",
     "inquirer": "7.3.3",
     "ioredis": "5.3.2",

diff --git a/packages/cli/src/AbstractServer.ts b/packages/cli/src/AbstractServer.ts
@@ -32,7 +32,7 @@ export abstract class AbstractServer {
 
 	protected externalHooks: ExternalHooks;
 
-	protected protocol: string;
+	protected protocol = config.getEnv('protocol');
 
 	protected sslKey: string;
 
@@ -65,7 +65,6 @@ export abstract class AbstractServer {
 		const proxyHops = config.getEnv('proxy_hops');
 		if (proxyHops > 0) this.app.set('trust proxy', proxyHops);
 
-		this.protocol = config.getEnv('protocol');
 		this.sslKey = config.getEnv('ssl_key');
 		this.sslCert = config.getEnv('ssl_cert');
 

diff --git a/packages/cli/src/Server.ts b/packages/cli/src/Server.ts
@@ -9,6 +9,7 @@ import { access as fsAccess } from 'fs/promises';
 import { promisify } from 'util';
 import cookieParser from 'cookie-parser';
 import express from 'express';
+import helmet from 'helmet';
 import { engine as expressHandlebars } from 'express-handlebars';
 import { type Class, InstanceSettings } from 'n8n-core';
 import type { IN8nUISettings } from 'n8n-workflow';
@@ -366,6 +367,20 @@ export class Server extends AbstractServer {
 			this.app.use('/icons/@:scope/:packageName/*/*.(svg|png)', serveIcons);
 			this.app.use('/icons/:packageName/*/*.(svg|png)', serveIcons);
 
+			const isTLSEnabled = this.protocol === 'https' && !!(this.sslKey && this.sslCert);
+			const securityHeadersMiddleware = helmet({
+				contentSecurityPolicy: false,
+				xFrameOptions: { action: 'sameorigin' },
+				dnsPrefetchControl: false,
+				// This is only relevant for Internet-explorer, which we do not support
+				ieNoOpen: false,
+				// This is already disabled in AbstractServer
+				xPoweredBy: false,
+				// Enable HSTS headers only when n8n handles TLS.
+				// if n8n is behind a reverse-proxy, then these headers needs to be configured there
+				strictTransportSecurity: isTLSEnabled,
+			});
+
 			// Route all UI urls to index.html to support history-api
 			const nonUIRoutes: Readonly<string[]> = [
 				'assets',
@@ -390,7 +405,9 @@ export class Server extends AbstractServer {
 				) {
 					req.url = '/index.html';
 					res.setHeader('Cache-Control', 'no-cache, no-store, must-revalidate');
-					res.sendFile('index.html', { root: staticCacheDir, maxAge, lastModified: true });
+					securityHeadersMiddleware(req, res, () => {
+						res.sendFile('index.html', { root: staticCacheDir, maxAge, lastModified: true });
+					});
 				} else {
 					next();
 				}

diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml