Add Helmet to protect against common web vulnerabilities Change-Id: I04329eb8a41c06b74a25ae47281f9b3bde7fc391

commit: 8ef4840b2349bca96c9e32f1798043ba229090f0 [log] [tgz]
author: Misha Krieger-Raynauld <mkriegerraynauld@gmail.com> Sun Oct 23 21:41:51 2022 -0400
committer: Misha Krieger-Raynauld <mkriegerraynauld@gmail.com> Sun Oct 23 21:44:42 2022 -0400
tree: 863581e9a6551b55074f847edf6e1a4ca1a0d29f
parent: 2f5d1ce11ffe896231d3addb449c6a1ab3d38bf8 [diff]
diff --git a/package-lock.json b/package-lock.json
index 401cfae..73599b7 100644
--- a/package-lock.json
+++ b/package-lock.json

@@ -9794,6 +9794,14 @@
       "integrity": "sha512-Rf4YVNYpKjZ6ASAmibcwTNciQ5Co5Ztq6iZPEykHpkoflnD/K5ryE/rHehFsTm4NJj8nKDhbi3eKBWGogmNnkg==",
       "dev": true
     },
+    "node_modules/helmet": {
+      "version": "6.0.0",
+      "resolved": "https://registry.npmjs.org/helmet/-/helmet-6.0.0.tgz",
+      "integrity": "sha512-FO9RpR1wNJepH/GbLPQVtkE2eESglXL641p7SdyoT4LngHFJcZheHMoyUcjCZF4qpuMMO1u5q6RK0l9Ux8JBcg==",
+      "engines": {
+        "node": ">=14.0.0"
+      }
+    },
     "node_modules/hey-listen": {
       "version": "1.0.8",
       "resolved": "https://registry.npmjs.org/hey-listen/-/hey-listen-1.0.8.tgz",
@@ -17653,6 +17661,7 @@
         "argon2": "^0.29.1",
         "express": "^4.18.2",
         "express-async-handler": "^1.2.0",
+        "helmet": "^6.0.0",
         "jose": "^4.10.0",
         "loglevel": "^1.8.0",
         "reflect-metadata": "^0.1.13",
@@ -24737,6 +24746,11 @@
         }
       }
     },
+    "helmet": {
+      "version": "6.0.0",
+      "resolved": "https://registry.npmjs.org/helmet/-/helmet-6.0.0.tgz",
+      "integrity": "sha512-FO9RpR1wNJepH/GbLPQVtkE2eESglXL641p7SdyoT4LngHFJcZheHMoyUcjCZF4qpuMMO1u5q6RK0l9Ux8JBcg=="
+    },
     "hey-listen": {
       "version": "1.0.8",
       "resolved": "https://registry.npmjs.org/hey-listen/-/hey-listen-1.0.8.tgz",
@@ -25495,6 +25509,7 @@
         "argon2": "^0.29.1",
         "express": "^4.18.2",
         "express-async-handler": "^1.2.0",
+        "helmet": "^6.0.0",
         "jose": "^4.10.0",
         "loglevel": "^1.8.0",
         "nodemon": "^2.0.20",

diff --git a/server/package.json b/server/package.json
index a3a4c8a..6d17ce8 100644
--- a/server/package.json
+++ b/server/package.json

@@ -26,6 +26,7 @@
     "argon2": "^0.29.1",
     "express": "^4.18.2",
     "express-async-handler": "^1.2.0",
+    "helmet": "^6.0.0",
     "jose": "^4.10.0",
     "loglevel": "^1.8.0",
     "reflect-metadata": "^0.1.13",

diff --git a/server/src/app.ts b/server/src/app.ts
index 85e6b10..53c8c23 100644
--- a/server/src/app.ts
+++ b/server/src/app.ts

@@ -16,6 +16,7 @@
  * <https://www.gnu.org/licenses/>.
  */
 import express, { json, NextFunction, Request, Response } from 'express';
+import helmet from 'helmet';
 import { HttpStatusCode } from 'jami-web-common';
 import log from 'loglevel';
 import { Service } from 'typedi';
@@ -28,6 +29,8 @@
   async build() {
     const app = express();
 
+    // Setup middleware
+    app.use(helmet());
     app.use(json());
 
     // Setup routing
commit	8ef4840b2349bca96c9e32f1798043ba229090f0	[log] [tgz]
author	Misha Krieger-Raynauld <mkriegerraynauld@gmail.com>	Sun Oct 23 21:41:51 2022 -0400
committer	Misha Krieger-Raynauld <mkriegerraynauld@gmail.com>	Sun Oct 23 21:44:42 2022 -0400
tree	863581e9a6551b55074f847edf6e1a4ca1a0d29f
parent	2f5d1ce11ffe896231d3addb449c6a1ab3d38bf8 [diff]