This project employs a robust security middleware setup to protect against various vulnerabilities and enhance the security of the application. The middleware utilizes helmet alongside custom configurations to ensure maximum protection.
-
Content Security Policy (CSP):
- Controls the resources the browser is allowed to load for your page.
- Default configuration allows resources only from the same origin (
'self') and localhost for images, and restricts script execution to the same origin. - Customizable through the
securityMiddlewarein the code. - Example settings:
directives: { defaultSrc: ["'self'"], imgSrc: ["'self'", "data:", "http://localhost:3000"], scriptSrc: ["'self'"], }
-
X-Frame-Options:
- Prevents clickjacking attacks by not allowing the site to be embedded in frames.
- Configured to
DENYall frame embedding.
-
HTTP Strict Transport Security (HSTS):
- Forces the browser to use HTTPS connections to your server for a specified period (max-age of 1 year).
- Includes subdomains and is configured for preload lists.
-
XSS Protection:
- Enables Cross-Site Scripting (XSS) filtering in browsers.
- Helps prevent malicious scripts from being injected into your site.
-
DNS Prefetch Control:
- Controls whether the browser should perform DNS prefetching of external resources.
- Prefetching is disabled for third-party content by default.
-
Referrer Policy:
- Configures how much information is sent along with the
Refererheader in requests. - Set to
no-referrer, ensuring that no referrer data is leaked to third-party sites.
- Configures how much information is sent along with the
-
MIME Sniffing Protection:
- Prevents MIME-type sniffing by setting the
X-Content-Type-Optionsheader tonosniff.
- Prevents MIME-type sniffing by setting the
-
Permissions-Policy:
- Controls which browser features (e.g., geolocation, microphone, camera) can be used on your site.
- Example configuration:
"geolocation=(), microphone=(), camera=(), fullscreen=(self)";
-
Cross-Origin-Embedder-Policy (COEP):
- Ensures that your site does not load cross-origin resources without explicit permission (via the
require-corpsetting).
- Ensures that your site does not load cross-origin resources without explicit permission (via the
-
Cross-Origin-Resource-Policy (CORP):
- Prevents cross-origin resource sharing from unauthorized origins by restricting resource access to the same origin (
same-origin).
- Prevents cross-origin resource sharing from unauthorized origins by restricting resource access to the same origin (
-
Secure Cookies:
- Cookies are configured with the following properties:
HttpOnly: Prevents JavaScript from accessing cookies.SameSite=Strict: Limits cookies to be sent only in same-site requests.Secure: Ensures cookies are sent over HTTPS (enabled in production).
- Cookies are configured with the following properties:
-
Additional Headers:
- X-DNS-Prefetch-Control: Controls whether DNS prefetching is allowed.
- X-Powered-By: Removed to hide information about the underlying technology stack.
- X-XSS-Protection: Ensures browsers block detected XSS attacks by setting the value to
1; mode=block.
The custom security middleware is defined as an array of middleware functions in the securityMiddleware module. Below is an example from the code that showcases how these headers are configured:
import helmet from "helmet";
import cookieParser from "cookie-parser";
export const securityMiddleware = [
helmet({
contentSecurityPolicy: {
directives: {
defaultSrc: ["'self'"],
imgSrc: ["'self'", "data:", "http://localhost:3000"],
scriptSrc: ["'self'"],
},
},
frameguard: { action: "deny" },
hsts: { maxAge: 31536000, includeSubDomains: true, preload: true },
dnsPrefetchControl: { allow: false },
referrerPolicy: { policy: "no-referrer" },
xssFilter: true,
}),
(_req, res, next) => {
res.setHeader("X-Content-Type-Options", "nosniff");
next();
},
(_req, res, next) => {
res.removeHeader("X-Powered-By");
next();
},
(_req, res, next) => {
res.setHeader(
"Permissions-Policy",
"geolocation=(), microphone=(), camera=(), fullscreen=(self)"
);
next();
},
(_req, res, next) => {
res.setHeader("Cross-Origin-Embedder-Policy", "require-corp");
next();
},
(_req, res, next) => {
res.setHeader("Cross-Origin-Resource-Policy", "same-origin");
next();
},
cookieParser(),
(_req, res, next) => {
res.cookie("session_id", "some-session-value", {
secure: process.env.NODE_ENV === "production",
httpOnly: true,
sameSite: "strict",
maxAge: 1000 * 60 * 60 * 24,
});
next();
},
];The security middleware is applied to the Express application in app.ts as follows:
import { securityMiddleware } from "./middleware/security";
app.use(
helmet({
contentSecurityPolicy: false, // Disables default CSP to allow custom CSP
})
);
app.use(securityMiddleware);
This setup ensures that the application is protected against common web vulnerabilities and uses secure practices for cookie handling, cross-origin resource protection, and other security measures.