From ae709d69aabb7de9d8e97639520885dc7eca257a Mon Sep 17 00:00:00 2001 From: "Grayson, Matthew" Date: Tue, 7 Nov 2023 06:50:14 -0600 Subject: [PATCH] Add http response headers to docs page for cors, hsts, csp, and xFrameOptions. --- frontend/package-lock.json | 22 ++++++++++++++++++++++ frontend/package.json | 2 ++ frontend/scripts/docs.js | 18 ++++++++++++++++++ 3 files changed, 42 insertions(+) diff --git a/frontend/package-lock.json b/frontend/package-lock.json index a7996fcd3..a85de0695 100644 --- a/frontend/package-lock.json +++ b/frontend/package-lock.json @@ -25,12 +25,14 @@ "autoprefixer": "^10.4.13", "aws-amplify": "^5.0.4", "classnames": "^2.3.2", + "cors": "^2.8.5", "d3-scale": "^4.0.2", "date-fns": "^2.29.3", "decamelize": "^6.0.0", "dompurify": "^3.0.5", "express-rate-limit": "^7.1.3", "file-saver": "^2.0.5", + "helmet": "^7.0.0", "jspdf": "^2.5.1", "jwt-decode": "^3.1.2", "papaparse": "^5.3.2", @@ -15401,6 +15403,18 @@ "resolved": "https://registry.npmjs.org/core-util-is/-/core-util-is-1.0.3.tgz", "integrity": "sha512-ZQBvi1DcpJ4GDqanjucZ2Hj3wEO5pZDS89BWbkcrvdxksJorwUDDZamX9ldFkp9aw2lmBDLgkObEA4DWNJ9FYQ==" }, + "node_modules/cors": { + "version": "2.8.5", + "resolved": "https://registry.npmjs.org/cors/-/cors-2.8.5.tgz", + "integrity": "sha512-KIHbLJqu73RGr/hnbrO9uBeixNGuvSQjul/jdFvS/KFSIH1hWVd1ng7zOHx+YrEfInLG7q4n6GHQ9cDtxv/P6g==", + "dependencies": { + "object-assign": "^4", + "vary": "^1" + }, + "engines": { + "node": ">= 0.10" + } + }, "node_modules/cosmiconfig": { "version": "7.1.0", "resolved": "https://registry.npmjs.org/cosmiconfig/-/cosmiconfig-7.1.0.tgz", @@ -18908,6 +18922,14 @@ "tslib": "^2.0.3" } }, + "node_modules/helmet": { + "version": "7.0.0", + "resolved": "https://registry.npmjs.org/helmet/-/helmet-7.0.0.tgz", + "integrity": "sha512-MsIgYmdBh460ZZ8cJC81q4XJknjG567wzEmv46WOBblDb6TUd3z8/GhgmsM9pn8g2B80tAJ4m5/d3Bi1KrSUBQ==", + "engines": { + "node": ">=16.0.0" + } + }, "node_modules/hermes-estree": { "version": "0.12.0", "resolved": "https://registry.npmjs.org/hermes-estree/-/hermes-estree-0.12.0.tgz", diff --git a/frontend/package.json b/frontend/package.json index ebcdd21d6..9c583e66b 100644 --- a/frontend/package.json +++ b/frontend/package.json @@ -23,12 +23,14 @@ "autoprefixer": "^10.4.13", "aws-amplify": "^5.0.4", "classnames": "^2.3.2", + "cors": "^2.8.5", "d3-scale": "^4.0.2", "date-fns": "^2.29.3", "decamelize": "^6.0.0", "dompurify": "^3.0.5", "express-rate-limit": "^7.1.3", "file-saver": "^2.0.5", + "helmet": "^7.0.0", "jspdf": "^2.5.1", "jwt-decode": "^3.1.2", "papaparse": "^5.3.2", diff --git a/frontend/scripts/docs.js b/frontend/scripts/docs.js index aeb2dad8f..025f0cc3a 100644 --- a/frontend/scripts/docs.js +++ b/frontend/scripts/docs.js @@ -2,6 +2,8 @@ import serverless from 'serverless-http'; import express from 'express'; import path from 'path'; import rateLimit from 'express-rate-limit'; +import cors from 'cors'; +import helmet from 'helmet'; export const app = express(); @@ -13,7 +15,23 @@ app.use( ); // limit 1000 requests per 15 minutes app.use(express.static(path.join(__dirname, '../docs/build'))); +app.use(cors()); +app.use( + helmet({ + contentSecurityPolicy: { + directives: { + baseUri: ["'none'"], + defaultSrc: ["'self'"], + frameAncestors: ["'none'"], + objectSrc: ["'none'"], + scriptSrc: ["'none'"] + } + }, + hsts: { maxAge: 31536000, preload: true }, + xFrameOptions: 'DENY' + }) +); app.use((req, res) => { res.sendFile(path.join(__dirname, '../docs/build/index.html')); });