api and headers

src/api.ts

@@ -125,7 +125,7 @@ window.onload = function() {
     plugins: [
       SwaggerUIBundle.plugins.DownloadUrl
     ],
-    layout: 'StandaloneLayout'
+    layout: "StandaloneLayout",
   });
 }
 `;

src/index.ts

@@ -8,7 +8,7 @@ import cors from 'cors';
 import api from './api';
 import db from './db';
 
-// TODO: working demo branch
+// TODO: check header, also in UI
 
 // tell if server is running in debug or production environment
 console.info(process.env.NODE_ENV === 'production' ? '===== PRODUCTION =====' : process.env.NODE_ENV === 'test' ? '' :'===== DEVELOPMENT =====');
@@ -25,7 +25,7 @@ app.disable('x-powered-by');
 const port = process.env.PORT || 3000;
 
 // security headers
-app.use(helmet({
+const defaultHeaderConfig = {
   contentSecurityPolicy: {
     directives: {
       defaultSrc: [`'none'`],
@@ -33,23 +33,27 @@ app.use(helmet({
       formAction: [`'none'`],
       frameAncestors: [`'none'`]
     }
-  }
-}));
+  },
+  frameguard: {
+    action: 'deny'
+  },
+  permittedCrossDomainPolicies: true,
+  refererPolicy: true
+};
+app.use(helmet(defaultHeaderConfig));
 // special CSP header for api-doc
 app.use('/api-doc', helmet.contentSecurityPolicy({
+  ...defaultHeaderConfig,
   directives: {
-    defaultSrc: [`'none'`],
     scriptSrc: [`'self'`],
     connectSrc: [`'self'`],
     styleSrc: [`'self'`, `'unsafe-inline'`],
-    imgSrc: [`'self'`, 'data:'],
-    baseUri: [`'self'`],
-    formAction: [`'none'`],
-    frameAncestors: [`'none'`]
+    imgSrc: [`'self'`, 'data:']
   }
 }));
 // special CSP header for the bosch-logo.svg
 app.use('/static/img/bosch-logo.svg', helmet.contentSecurityPolicy({
+  ...defaultHeaderConfig,
   directives: {
     styleSrc: [`'unsafe-inline'`]
   }