Skip to content

Commit

Permalink
Merge pull request #235 from bcgov/security/helmet
Browse files Browse the repository at this point in the history 
Implement Helmet content security policy
  • Loading branch information
@jujaga
jujaga authored Dec 18, 2023
2 parents 687361d + 411bb42 commit 3e47e16
Show file tree
Hide file tree
Showing 3 changed files with 28 additions and 0 deletions.
13 changes: 13 additions & 0 deletions app/app.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ const compression = require('compression');
const config = require('config');
const cors = require('cors');
const express = require('express');
const helmet = require('helmet');

const { name: appName, version: appVersion } = require('./package.json');
const { AuthMode, DEFAULTCORS } = require('./src/components/constants');
Expand Down Expand Up @@ -33,6 +34,18 @@ const app = express();
app.use(compression());
app.use(cors(DEFAULTCORS));
app.use(express.urlencoded({ extended: true }));
app.use(
helmet({
contentSecurityPolicy: {
directives: {
'default-src': [
"'self'", // eslint-disable-line
new URL(config.get('keycloak.serverUrl')).origin
]
}
}
})
);

// Skip if running tests
if (process.env.NODE_ENV !== 'test') {
Expand Down
14 changes: 14 additions & 0 deletions app/package-lock.json
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions app/package.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,7 @@
"express": "^4.18.2",
"express-basic-auth": "^1.2.1",
"express-winston": "^4.2.0",
"helmet": "^7.1.0",
"joi": "^17.11.0",
"js-yaml": "^4.1.0",
"jsonwebtoken": "^9.0.2",
Expand Down

0 comments on commit 3e47e16

Please sign in to comment.