diff --git a/backend/src/app.module.ts b/backend/src/app.module.ts index 61046f8..c618edb 100644 --- a/backend/src/app.module.ts +++ b/backend/src/app.module.ts @@ -36,6 +36,9 @@ export class AppModule { public configure(consumer: MiddlewareConsumer): void { consumer // TODO Redirect via Reverse Proxy all HTTP requests to HTTPS + // TODO use env.dev and end.prod + // TODO Implement helmet module + // TODO Implement CSRF protection -> csurf module .apply( CspMiddleware, SecurityHeadersMiddleware, diff --git a/backend/src/middleware/security-middleware/security.middleware.ts b/backend/src/middleware/security-middleware/security.middleware.ts index 6d66420..fa168eb 100644 --- a/backend/src/middleware/security-middleware/security.middleware.ts +++ b/backend/src/middleware/security-middleware/security.middleware.ts @@ -13,6 +13,13 @@ export class SecurityHeadersMiddleware implements NestMiddleware { 'max-age=63072000; includeSubDomains; preload' ); } + res.setHeader('Referrer-Policy', 'no-referrer'); + res.setHeader( + 'Permissions-Policy', + 'geolocation=(), microphone=(), camera=()' + ); + res.setHeader('X-XSS-Protection', '1; mode=block'); + res.setHeader('X-Content-Type-Options', 'nosniff'); res.setHeader('X-Frame-Options', 'SAMEORIGIN'); next(); diff --git a/backend/src/modules/session/services/session-init.service.ts b/backend/src/modules/session/services/session-init.service.ts index 9a4fb7b..6187316 100644 --- a/backend/src/modules/session/services/session-init.service.ts +++ b/backend/src/modules/session/services/session-init.service.ts @@ -24,6 +24,7 @@ export class SessionInitService { ttl: 86400, }).connect(this.dataSource.getRepository(Session)), cookie: { + // TODO: Check sameSite strict configuration on production maxAge: 86400000, httpOnly: true, secure: @@ -34,7 +35,7 @@ export class SessionInitService { sameSite: this.configService.get('NODE_ENV') === 'development' ? 'strict' - : 'none', + : 'strict', }, }); }