Merge pull request #219 from clems4ever/helmet-protection

Add helmet dependency and add it as express middleware
pull/220/head
Clément Michaud 2018-04-26 09:46:24 +02:00 committed by GitHub
commit efd037134a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 125 additions and 7 deletions

128
package-lock.json generated
View File

@ -81,7 +81,6 @@
"version": "4.0.37", "version": "4.0.37",
"resolved": "https://registry.npmjs.org/@types/express/-/express-4.0.37.tgz", "resolved": "https://registry.npmjs.org/@types/express/-/express-4.0.37.tgz",
"integrity": "sha512-tIULTLzQpFFs5/PKnFIAFOsXQxss76glppbVKR3/jddPK26SBsD5HF5grn5G2jOGtpRWSBvYmDYoduVv+3wOXg==", "integrity": "sha512-tIULTLzQpFFs5/PKnFIAFOsXQxss76glppbVKR3/jddPK26SBsD5HF5grn5G2jOGtpRWSBvYmDYoduVv+3wOXg==",
"dev": true,
"requires": { "requires": {
"@types/express-serve-static-core": "4.0.53", "@types/express-serve-static-core": "4.0.53",
"@types/serve-static": "1.7.32" "@types/serve-static": "1.7.32"
@ -91,7 +90,6 @@
"version": "4.0.53", "version": "4.0.53",
"resolved": "https://registry.npmjs.org/@types/express-serve-static-core/-/express-serve-static-core-4.0.53.tgz", "resolved": "https://registry.npmjs.org/@types/express-serve-static-core/-/express-serve-static-core-4.0.53.tgz",
"integrity": "sha512-zaGeOpEYp5G2EhjaUFdVwysDrfEYc6Q6iPhd3Kl4ip30x0tvVv7SuJvY3yzCUSuFlzAG8N5KsyY6BJg93/cn+Q==", "integrity": "sha512-zaGeOpEYp5G2EhjaUFdVwysDrfEYc6Q6iPhd3Kl4ip30x0tvVv7SuJvY3yzCUSuFlzAG8N5KsyY6BJg93/cn+Q==",
"dev": true,
"requires": { "requires": {
"@types/node": "8.0.46" "@types/node": "8.0.46"
} }
@ -116,6 +114,14 @@
"@types/node": "8.0.46" "@types/node": "8.0.46"
} }
}, },
"@types/helmet": {
"version": "0.0.37",
"resolved": "https://registry.npmjs.org/@types/helmet/-/helmet-0.0.37.tgz",
"integrity": "sha512-E45vdnx+7+HIN5jsywhzfd+hUI/2yBFr6RT7tsMVrwp+uTvyVANBf4dyVUNW/+ZqAvcx23t2YtGTndQJR3tXIA==",
"requires": {
"@types/express": "4.0.37"
}
},
"@types/jquery": { "@types/jquery": {
"version": "3.3.1", "version": "3.3.1",
"resolved": "https://registry.npmjs.org/@types/jquery/-/jquery-3.3.1.tgz", "resolved": "https://registry.npmjs.org/@types/jquery/-/jquery-3.3.1.tgz",
@ -146,8 +152,7 @@
"@types/mime": { "@types/mime": {
"version": "2.0.0", "version": "2.0.0",
"resolved": "https://registry.npmjs.org/@types/mime/-/mime-2.0.0.tgz", "resolved": "https://registry.npmjs.org/@types/mime/-/mime-2.0.0.tgz",
"integrity": "sha512-A2TAGbTFdBw9azHbpVd+/FkdW2T6msN1uct1O9bH3vTerEHKZhTXJUQXy+hNq1B0RagfU8U+KBdqiZpxjhOUQA==", "integrity": "sha512-A2TAGbTFdBw9azHbpVd+/FkdW2T6msN1uct1O9bH3vTerEHKZhTXJUQXy+hNq1B0RagfU8U+KBdqiZpxjhOUQA=="
"dev": true
}, },
"@types/mocha": { "@types/mocha": {
"version": "5.0.0", "version": "5.0.0",
@ -181,8 +186,7 @@
"@types/node": { "@types/node": {
"version": "8.0.46", "version": "8.0.46",
"resolved": "https://registry.npmjs.org/@types/node/-/node-8.0.46.tgz", "resolved": "https://registry.npmjs.org/@types/node/-/node-8.0.46.tgz",
"integrity": "sha512-rRkP4kb5JYIfAoRKaDbcdPZBcTNOgzSApyzhPN9e6rhViSJAWQGlSXIX5gc75iR02jikhpzy3usu31wMHllfFw==", "integrity": "sha512-rRkP4kb5JYIfAoRKaDbcdPZBcTNOgzSApyzhPN9e6rhViSJAWQGlSXIX5gc75iR02jikhpzy3usu31wMHllfFw=="
"dev": true
}, },
"@types/nodemailer": { "@types/nodemailer": {
"version": "4.6.0", "version": "4.6.0",
@ -331,7 +335,6 @@
"version": "1.7.32", "version": "1.7.32",
"resolved": "https://registry.npmjs.org/@types/serve-static/-/serve-static-1.7.32.tgz", "resolved": "https://registry.npmjs.org/@types/serve-static/-/serve-static-1.7.32.tgz",
"integrity": "sha512-WpI0g7M1FiOmJ/a97Qrjafq2I938tjAZ3hZr9O7sXyA6oUhH3bqUNZIt7r1KZg8TQAKxcvxt6JjQ5XuLfIBFvg==", "integrity": "sha512-WpI0g7M1FiOmJ/a97Qrjafq2I938tjAZ3hZr9O7sXyA6oUhH3bqUNZIt7r1KZg8TQAKxcvxt6JjQ5XuLfIBFvg==",
"dev": true,
"requires": { "requires": {
"@types/express-serve-static-core": "4.0.53", "@types/express-serve-static-core": "4.0.53",
"@types/mime": "2.0.0" "@types/mime": "2.0.0"
@ -1368,6 +1371,11 @@
} }
} }
}, },
"camelize": {
"version": "1.0.0",
"resolved": "https://registry.npmjs.org/camelize/-/camelize-1.0.0.tgz",
"integrity": "sha1-FkpUg+Yw+kMh5a8HAg5TGDGyYJs="
},
"caseless": { "caseless": {
"version": "0.12.0", "version": "0.12.0",
"resolved": "https://registry.npmjs.org/caseless/-/caseless-0.12.0.tgz", "resolved": "https://registry.npmjs.org/caseless/-/caseless-0.12.0.tgz",
@ -1626,6 +1634,11 @@
"resolved": "https://registry.npmjs.org/content-disposition/-/content-disposition-0.5.2.tgz", "resolved": "https://registry.npmjs.org/content-disposition/-/content-disposition-0.5.2.tgz",
"integrity": "sha1-DPaLud318r55YcOoUXjLhdunjLQ=" "integrity": "sha1-DPaLud318r55YcOoUXjLhdunjLQ="
}, },
"content-security-policy-builder": {
"version": "2.0.0",
"resolved": "https://registry.npmjs.org/content-security-policy-builder/-/content-security-policy-builder-2.0.0.tgz",
"integrity": "sha512-j+Nhmj1yfZAikJLImCvPJFE29x/UuBi+/MWqggGGc515JKaZrjuei2RhULJmy0MsstW3E3htl002bwmBNMKr7w=="
},
"content-type": { "content-type": {
"version": "1.0.4", "version": "1.0.4",
"resolved": "https://registry.npmjs.org/content-type/-/content-type-1.0.4.tgz", "resolved": "https://registry.npmjs.org/content-type/-/content-type-1.0.4.tgz",
@ -1887,6 +1900,11 @@
"assert-plus": "1.0.0" "assert-plus": "1.0.0"
} }
}, },
"dasherize": {
"version": "2.0.0",
"resolved": "https://registry.npmjs.org/dasherize/-/dasherize-2.0.0.tgz",
"integrity": "sha1-bYCcnNDPe7iVLYD8hPoT1H3bEwg="
},
"date-now": { "date-now": {
"version": "0.1.4", "version": "0.1.4",
"resolved": "https://registry.npmjs.org/date-now/-/date-now-0.1.4.tgz", "resolved": "https://registry.npmjs.org/date-now/-/date-now-0.1.4.tgz",
@ -2050,6 +2068,11 @@
"randombytes": "2.0.6" "randombytes": "2.0.6"
} }
}, },
"dns-prefetch-control": {
"version": "0.1.0",
"resolved": "https://registry.npmjs.org/dns-prefetch-control/-/dns-prefetch-control-0.1.0.tgz",
"integrity": "sha1-YN20V3dOF48flBXwyrsOhbCzALI="
},
"doctypes": { "doctypes": {
"version": "1.1.0", "version": "1.1.0",
"resolved": "https://registry.npmjs.org/doctypes/-/doctypes-1.1.0.tgz", "resolved": "https://registry.npmjs.org/doctypes/-/doctypes-1.1.0.tgz",
@ -2067,6 +2090,11 @@
"integrity": "sha512-WpwuBlZ2lQRFa4H/4w49deb9rJLot9KmqrKKjMc9qBl7CID+DdC2swoa34ccRl+anL2B6bLp6TjFdIdnzekMBQ==", "integrity": "sha512-WpwuBlZ2lQRFa4H/4w49deb9rJLot9KmqrKKjMc9qBl7CID+DdC2swoa34ccRl+anL2B6bLp6TjFdIdnzekMBQ==",
"dev": true "dev": true
}, },
"dont-sniff-mimetype": {
"version": "1.0.0",
"resolved": "https://registry.npmjs.org/dont-sniff-mimetype/-/dont-sniff-mimetype-1.0.0.tgz",
"integrity": "sha1-WTKJDcn04vGeXrAqIAJuXl78j1g="
},
"double-ended-queue": { "double-ended-queue": {
"version": "2.1.0-0", "version": "2.1.0-0",
"resolved": "https://registry.npmjs.org/double-ended-queue/-/double-ended-queue-2.1.0-0.tgz", "resolved": "https://registry.npmjs.org/double-ended-queue/-/double-ended-queue-2.1.0-0.tgz",
@ -2412,6 +2440,11 @@
"fill-range": "2.2.3" "fill-range": "2.2.3"
} }
}, },
"expect-ct": {
"version": "0.1.0",
"resolved": "https://registry.npmjs.org/expect-ct/-/expect-ct-0.1.0.tgz",
"integrity": "sha1-UnNWeN4YUwiQ2Ne5XwrGNkCVgJQ="
},
"express": { "express": {
"version": "4.16.2", "version": "4.16.2",
"resolved": "https://registry.npmjs.org/express/-/express-4.16.2.tgz", "resolved": "https://registry.npmjs.org/express/-/express-4.16.2.tgz",
@ -2746,6 +2779,11 @@
"resolved": "https://registry.npmjs.org/forwarded/-/forwarded-0.1.2.tgz", "resolved": "https://registry.npmjs.org/forwarded/-/forwarded-0.1.2.tgz",
"integrity": "sha1-mMI9qxF1ZXuMBXPozszZGw/xjIQ=" "integrity": "sha1-mMI9qxF1ZXuMBXPozszZGw/xjIQ="
}, },
"frameguard": {
"version": "3.0.0",
"resolved": "https://registry.npmjs.org/frameguard/-/frameguard-3.0.0.tgz",
"integrity": "sha1-e8rUae57lukdEs6zlZx4I1qScuk="
},
"fresh": { "fresh": {
"version": "0.5.2", "version": "0.5.2",
"resolved": "https://registry.npmjs.org/fresh/-/fresh-0.5.2.tgz", "resolved": "https://registry.npmjs.org/fresh/-/fresh-0.5.2.tgz",
@ -3631,6 +3669,42 @@
"integrity": "sha1-k0EP0hsAlzUVH4howvJx80J+I/0=", "integrity": "sha1-k0EP0hsAlzUVH4howvJx80J+I/0=",
"dev": true "dev": true
}, },
"helmet": {
"version": "3.12.0",
"resolved": "https://registry.npmjs.org/helmet/-/helmet-3.12.0.tgz",
"integrity": "sha512-CgkctpvreQLL6X3EL2Igs/92+75ZFIsrob9/Rdwf2hQCBGH/DxLk4xFPxAAl6jYnnus/YXfFEVXHEJf8TJTwlA==",
"requires": {
"dns-prefetch-control": "0.1.0",
"dont-sniff-mimetype": "1.0.0",
"expect-ct": "0.1.0",
"frameguard": "3.0.0",
"helmet-csp": "2.7.0",
"hide-powered-by": "1.0.0",
"hpkp": "2.0.0",
"hsts": "2.1.0",
"ienoopen": "1.0.0",
"nocache": "2.0.0",
"referrer-policy": "1.1.0",
"x-xss-protection": "1.1.0"
}
},
"helmet-csp": {
"version": "2.7.0",
"resolved": "https://registry.npmjs.org/helmet-csp/-/helmet-csp-2.7.0.tgz",
"integrity": "sha512-IGIAkWnxjRbgMXFA2/kmDqSIrIaSfZ6vhMHlSHw7jm7Gm9nVVXqwJ2B1YEpYrJsLrqY+w2Bbimk7snux9+sZAw==",
"requires": {
"camelize": "1.0.0",
"content-security-policy-builder": "2.0.0",
"dasherize": "2.0.0",
"lodash.reduce": "4.6.0",
"platform": "1.3.5"
}
},
"hide-powered-by": {
"version": "1.0.0",
"resolved": "https://registry.npmjs.org/hide-powered-by/-/hide-powered-by-1.0.0.tgz",
"integrity": "sha1-SoWtZYgfYoV/xwr3F0oRhNzM4ys="
},
"hmac-drbg": { "hmac-drbg": {
"version": "1.0.1", "version": "1.0.1",
"resolved": "https://registry.npmjs.org/hmac-drbg/-/hmac-drbg-1.0.1.tgz", "resolved": "https://registry.npmjs.org/hmac-drbg/-/hmac-drbg-1.0.1.tgz",
@ -3660,6 +3734,16 @@
"integrity": "sha512-pNgbURSuab90KbTqvRPsseaTxOJCZBD0a7t+haSN33piP9cCM4l0CqdzAif2hUqm716UovKB2ROmiabGAKVXyg==", "integrity": "sha512-pNgbURSuab90KbTqvRPsseaTxOJCZBD0a7t+haSN33piP9cCM4l0CqdzAif2hUqm716UovKB2ROmiabGAKVXyg==",
"dev": true "dev": true
}, },
"hpkp": {
"version": "2.0.0",
"resolved": "https://registry.npmjs.org/hpkp/-/hpkp-2.0.0.tgz",
"integrity": "sha1-EOFCJk52IVpdMMROxD3mTe5tFnI="
},
"hsts": {
"version": "2.1.0",
"resolved": "https://registry.npmjs.org/hsts/-/hsts-2.1.0.tgz",
"integrity": "sha512-zXhh/DqgrTXJ7erTN6Fh5k/xjMhDGXCqdYN3wvxUvGUQvnxcFfUd8E+6vLg/nk3ss1TYMb+DhRl25fYABioTvA=="
},
"html-encoding-sniffer": { "html-encoding-sniffer": {
"version": "1.0.2", "version": "1.0.2",
"resolved": "https://registry.npmjs.org/html-encoding-sniffer/-/html-encoding-sniffer-1.0.2.tgz", "resolved": "https://registry.npmjs.org/html-encoding-sniffer/-/html-encoding-sniffer-1.0.2.tgz",
@ -3741,6 +3825,11 @@
"integrity": "sha512-byWFX8OyW/qeVxcY21r6Ncxl0ZYHgnf0cPup2h34eHXrCJbOp7IuqnJ4Q0omfyWl6Z++BTI6bByf31pZt7iRLg==", "integrity": "sha512-byWFX8OyW/qeVxcY21r6Ncxl0ZYHgnf0cPup2h34eHXrCJbOp7IuqnJ4Q0omfyWl6Z++BTI6bByf31pZt7iRLg==",
"dev": true "dev": true
}, },
"ienoopen": {
"version": "1.0.0",
"resolved": "https://registry.npmjs.org/ienoopen/-/ienoopen-1.0.0.tgz",
"integrity": "sha1-NGpCj0dKrI9QzzeE6i0PFvYr2ms="
},
"immediate": { "immediate": {
"version": "3.0.6", "version": "3.0.6",
"resolved": "https://registry.npmjs.org/immediate/-/immediate-3.0.6.tgz", "resolved": "https://registry.npmjs.org/immediate/-/immediate-3.0.6.tgz",
@ -4620,6 +4709,11 @@
"integrity": "sha1-LcvSwofLwKVcxCMovQxzYVDVPj8=", "integrity": "sha1-LcvSwofLwKVcxCMovQxzYVDVPj8=",
"dev": true "dev": true
}, },
"lodash.reduce": {
"version": "4.6.0",
"resolved": "https://registry.npmjs.org/lodash.reduce/-/lodash.reduce-4.6.0.tgz",
"integrity": "sha1-8atrg5KZrUj3hKu/R2WW8DuRTTs="
},
"lodash.sortby": { "lodash.sortby": {
"version": "4.7.0", "version": "4.7.0",
"resolved": "https://registry.npmjs.org/lodash.sortby/-/lodash.sortby-4.7.0.tgz", "resolved": "https://registry.npmjs.org/lodash.sortby/-/lodash.sortby-4.7.0.tgz",
@ -5146,6 +5240,11 @@
"lower-case": "1.1.4" "lower-case": "1.1.4"
} }
}, },
"nocache": {
"version": "2.0.0",
"resolved": "https://registry.npmjs.org/nocache/-/nocache-2.0.0.tgz",
"integrity": "sha1-ICtIAhoMTL3i34DeFaF0Q8i0OYA="
},
"nodemailer": { "nodemailer": {
"version": "4.3.0", "version": "4.3.0",
"resolved": "https://registry.npmjs.org/nodemailer/-/nodemailer-4.3.0.tgz", "resolved": "https://registry.npmjs.org/nodemailer/-/nodemailer-4.3.0.tgz",
@ -8373,6 +8472,11 @@
"pinkie": "2.0.4" "pinkie": "2.0.4"
} }
}, },
"platform": {
"version": "1.3.5",
"resolved": "https://registry.npmjs.org/platform/-/platform-1.3.5.tgz",
"integrity": "sha512-TuvHS8AOIZNAlE77WUDiR4rySV/VMptyMfcfeoMgs4P8apaZM3JrnbzBiixKUv+XR6i+BXrQh8WAnjaSPFO65Q=="
},
"pn": { "pn": {
"version": "1.0.0", "version": "1.0.0",
"resolved": "https://registry.npmjs.org/pn/-/pn-1.0.0.tgz", "resolved": "https://registry.npmjs.org/pn/-/pn-1.0.0.tgz",
@ -9013,6 +9117,11 @@
"resolved": "https://registry.npmjs.org/redis-parser/-/redis-parser-2.6.0.tgz", "resolved": "https://registry.npmjs.org/redis-parser/-/redis-parser-2.6.0.tgz",
"integrity": "sha1-Uu0J2srBCPGmMcB+m2mUHnoZUEs=" "integrity": "sha1-Uu0J2srBCPGmMcB+m2mUHnoZUEs="
}, },
"referrer-policy": {
"version": "1.1.0",
"resolved": "https://registry.npmjs.org/referrer-policy/-/referrer-policy-1.1.0.tgz",
"integrity": "sha1-NXdOtzW/UPtsB46DM0tHI1AgfXk="
},
"regenerator-runtime": { "regenerator-runtime": {
"version": "0.11.1", "version": "0.11.1",
"resolved": "https://registry.npmjs.org/regenerator-runtime/-/regenerator-runtime-0.11.1.tgz", "resolved": "https://registry.npmjs.org/regenerator-runtime/-/regenerator-runtime-0.11.1.tgz",
@ -10927,6 +11036,11 @@
"resolved": "https://registry.npmjs.org/wrappy/-/wrappy-1.0.2.tgz", "resolved": "https://registry.npmjs.org/wrappy/-/wrappy-1.0.2.tgz",
"integrity": "sha1-tSQ9jz7BqjXxNkYFvA0QNuMKtp8=" "integrity": "sha1-tSQ9jz7BqjXxNkYFvA0QNuMKtp8="
}, },
"x-xss-protection": {
"version": "1.1.0",
"resolved": "https://registry.npmjs.org/x-xss-protection/-/x-xss-protection-1.1.0.tgz",
"integrity": "sha512-rx3GzJlgEeZ08MIcDsU2vY2B1QEriUKJTSiNHHUIem6eg9pzVOr2TL3Y4Pd6TMAM5D5azGjcxqI62piITBDHVg=="
},
"xml-name-validator": { "xml-name-validator": {
"version": "2.0.1", "version": "2.0.1",
"resolved": "https://registry.npmjs.org/xml-name-validator/-/xml-name-validator-2.0.1.tgz", "resolved": "https://registry.npmjs.org/xml-name-validator/-/xml-name-validator-2.0.1.tgz",

View File

@ -32,6 +32,7 @@
"express": "^4.14.0", "express": "^4.14.0",
"express-request-id": "^1.4.0", "express-request-id": "^1.4.0",
"express-session": "^1.14.2", "express-session": "^1.14.2",
"helmet": "^3.12.0",
"ldapjs": "^1.0.2", "ldapjs": "^1.0.2",
"mongodb": "^3.0.5", "mongodb": "^3.0.5",
"nedb": "^1.8.0", "nedb": "^1.8.0",
@ -57,6 +58,7 @@
"@types/ejs": "^2.3.33", "@types/ejs": "^2.3.33",
"@types/express": "^4.0.35", "@types/express": "^4.0.35",
"@types/express-session": "1.15.8", "@types/express-session": "1.15.8",
"@types/helmet": "0.0.37",
"@types/jquery": "^3.3.1", "@types/jquery": "^3.3.1",
"@types/jsdom": "^11.0.4", "@types/jsdom": "^11.0.4",
"@types/ldapjs": "^1.0.2", "@types/ldapjs": "^1.0.2",

View File

@ -8,6 +8,7 @@ import * as BodyParser from "body-parser";
import { RestApi } from "./RestApi"; import { RestApi } from "./RestApi";
import { WithHeadersLogged } from "./middlewares/WithHeadersLogged"; import { WithHeadersLogged } from "./middlewares/WithHeadersLogged";
import { ServerVariables } from "../ServerVariables"; import { ServerVariables } from "../ServerVariables";
import Helmet = require("helmet");
const addRequestId = require("express-request-id")(); const addRequestId = require("express-request-id")();
@ -36,6 +37,7 @@ export class Configurator {
app.use(WithHeadersLogged.middleware(vars.logger)); app.use(WithHeadersLogged.middleware(vars.logger));
app.disable(X_POWERED_BY); app.disable(X_POWERED_BY);
app.enable(TRUST_PROXY); app.enable(TRUST_PROXY);
app.use(Helmet());
app.set(VIEWS, viewsDirectory); app.set(VIEWS, viewsDirectory);
app.set(VIEW_ENGINE, PUG); app.set(VIEW_ENGINE, PUG);