Consider using 'helmet' npm package in node server

[Martinsos]

https://www.npmjs.com/package/helmet -> sets some reasonable default HTTPS response headers.

[Martinsos]

Draft:

1. Add helmet to the list of npm dependencies in waspc/src/Generator/ServerGenerator.hs.
2. Add helmet as top-lvl Express middleware (via app.use) in waspc/data/Generator/templates/server/src/app.js, and configure it if needed.

This might be enough! Although I don't know enough about helmet to know for sure at the moment.

[caz-gh]

Hi, is this still needed? If so, then would the default configuration options be good enough for now?

[Martinsos]

Hey @caz-gh , yes, this is still on!
Well, the idea was just to make the app more secure, and it seemed like using helmet might be a good step in that direction. That said, I never used helmet nor have I explored its options, so I am not sure what is the right config -> default will probably work!
What is your experience with helmet? Ideally, whoever implements this issue, would explore the options to some extent, to make sure they are making sense + to understand the effects of it.
Let me know if you want to work on this and I will help you out with Wasp/Haskell stuff if needed!

[caz-gh]

@Martinsos, here are the HTTP header behaviors set when using the default helmet top-level wrapper (app.use(helmet())) containing all helmet's middleware:

• Sets Content-Security-Policy header which helps protect against cross site scripting attacks.
• Sets X-DNS-Prefetch-Control header to false, which improves user privacy but with a performance cost.
• Sets Expect-CT header to help prevent the use of mississued SSL certificates.
• Removes X-Powered-By header to avoid revealing to potential attackers that Express is being used. Some discussion to whether this is actually beneficial can found here.
• Sets Origin-Agent-Cluster header. (I'm still looking into this one)
• Sets Strict-Transport-Security header tells the browser to not load a a site using HTTP, and that it should convert attempts to access the site to HTTPS requests instead of HTTP.
• Sets X-Download-Options header to noopen. (This is Internet Explorer specific)
• Sets X-Frame-Options header to SAMEORIGIN. This header helps defend against clickjacking attacks.
• Sets X-Content-Type-Options header to nosniff to mitigate MIME type sniffing.
• Sets X-Permitted-Cross-Domain-Policies to none.
• Sets Referrer-Policy header to no-referrer.
• Sets X-XSS-Protection header to 0 to disable it. This header offers some protection against basic cross site scripting attacks. Here is some discussion on why it is disabled by default.

I don't have much experience with using anything other than the default helmet settings, but I can definitely look into this further! So far, I've added helmet to my fork of Wasp and the defaults seem to be working when I look at the response headers I get with a newly created Wasp app.

[Martinsos]

@caz-gh sounds good, and thanks for putting in the work! Please go for it and make a pull request -> if you get stuck or just slowed down at any point at all, let me know and I will help out.

[Martinsos]

Hey @caz-gh , how is it going, are you still interested in taking care of this one?

[caz-gh]

Hi @Martinsos , sorry I was a little busy recently but I'll be making the pull request in a bit!

[Martinsos]

No prob, just checking in, looking forward to it :)!