Add http response headers to docs page for cors, hsts, csp, and xFram…

…eOptions.
cisagov · Nov 7, 2023 · ae709d6 · ae709d6
1 parent c1634fa
commit ae709d6
Show file tree

Hide file tree

Showing 3 changed files with 42 additions and 0 deletions.
diff --git a/frontend/package-lock.json b/frontend/package-lock.json
diff --git a/frontend/package.json b/frontend/package.json
@@ -23,12 +23,14 @@
     "autoprefixer": "^10.4.13",
     "aws-amplify": "^5.0.4",
     "classnames": "^2.3.2",
+    "cors": "^2.8.5",
     "d3-scale": "^4.0.2",
     "date-fns": "^2.29.3",
     "decamelize": "^6.0.0",
     "dompurify": "^3.0.5",
     "express-rate-limit": "^7.1.3",
     "file-saver": "^2.0.5",
+    "helmet": "^7.0.0",
     "jspdf": "^2.5.1",
     "jwt-decode": "^3.1.2",
     "papaparse": "^5.3.2",

diff --git a/frontend/scripts/docs.js b/frontend/scripts/docs.js
@@ -2,6 +2,8 @@ import serverless from 'serverless-http';
 import express from 'express';
 import path from 'path';
 import rateLimit from 'express-rate-limit';
+import cors from 'cors';
+import helmet from 'helmet';
 
 export const app = express();
 
@@ -13,7 +15,23 @@ app.use(
 ); // limit 1000 requests per 15 minutes
 
 app.use(express.static(path.join(__dirname, '../docs/build')));
+app.use(cors());
 
+app.use(
+  helmet({
+    contentSecurityPolicy: {
+      directives: {
+        baseUri: ["'none'"],
+        defaultSrc: ["'self'"],
+        frameAncestors: ["'none'"],
+        objectSrc: ["'none'"],
+        scriptSrc: ["'none'"]
+      }
+    },
+    hsts: { maxAge: 31536000, preload: true },
+    xFrameOptions: 'DENY'
+  })
+);
 app.use((req, res) => {
   res.sendFile(path.join(__dirname, '../docs/build/index.html'));
 });