From 9a7848f2bb5dbe5954edf54c20a2e3916447a517 Mon Sep 17 00:00:00 2001
From: Philip Bruland <philipbruland@gmail.com>
Date: Tue, 23 Jul 2019 11:55:10 +0100
Subject: [PATCH] Issue #9: Setup Security

- Install helmet
- Install express-rate-limit
---
 index.js     | 29 ++++++++++++++++++++++++++++-
 package.json |  2 ++
 2 files changed, 30 insertions(+), 1 deletion(-)

diff --git a/index.js b/index.js
index 01a4bcb..233c29a 100644
--- a/index.js
+++ b/index.js
@@ -1,6 +1,8 @@
 /* INCLUDES ****************************** */
 const express = require('express');
 const session = require('express-session');
+const rateLimit = require('express-rate-limit');
+const helmet = require('helmet');
 const passport = require('passport');
 const flash = require('flash');
 const bodyParser = require('body-parser');
@@ -8,6 +10,11 @@ const dotenv = require('dotenv');
 const passportConfig = require('./Middleware/Passport/config');
 /* **************************************** */
 
+/* CONSTANTS ****************************** */
+const RATELIMITHITS = 10;
+const RATELIMITINTERVAL = 1 * 60 * 1000; // 1 Min
+/* **************************************** */
+
 /* INCLUDE CONFIGS ************************ */
 dotenv.config();
 /* **************************************** */
@@ -22,10 +29,30 @@ const app = express();
 app.use(bodyParser());
 /* **************************************** */
 
+/* SECURITY SETUP ************************* */
+// Potentiall could run only on production
+
+// Enable if you're behind a reverse proxy (Heroku, Bluemix, AWS ELB, Nginx, etc)
+// see https://expressjs.com/en/guide/behind-proxies.html
+// app.set('trust proxy', 1);
+
+const limiter = rateLimit({
+  windowMs: RATELIMITINTERVAL,
+  max: RATELIMITHITS,
+});
+
+// only apply to requests that begin with /api/
+app.use(limiter);
+app.use(helmet());
+/* **************************************** */
+
 /* SESSION SETUP ************************** */
 const sesh = {
   secret: 'Oh hi there', // Replaced with proper setup in production
-  cookie: { secure: false },
+  cookie: {
+    secure: false,
+    maxAge: 60000,
+  },
 };
 
 if (app.get('env') === 'production') {
diff --git a/package.json b/package.json
index 57b117a..b0abe84 100644
--- a/package.json
+++ b/package.json
@@ -36,8 +36,10 @@
     "body-parser": "^1.19.0",
     "dotenv": "^8.0.0",
     "express": "^4.17.1",
+    "express-rate-limit": "^5.0.0",
     "express-session": "^1.16.2",
     "flash": "^1.1.0",
+    "helmet": "^3.19.0",
     "node-fetch": "^2.6.0",
     "passport": "^0.4.0",
     "passport-local": "^1.0.0"