added some security features

2024-09-16 23:36:10 +02:00 · 2024-09-16 23:36:10 +02:00 · 43d27368fc
parent 1add1e573f
commit 43d27368fc
3 changed files with 12 additions and 1 deletions
--- a/backend/src/app.module.ts
+++ b/backend/src/app.module.ts
@ -36,6 +36,9 @@ export class AppModule {
  public configure(consumer: MiddlewareConsumer): void {
    consumer
      // TODO Redirect via Reverse Proxy all HTTP requests to HTTPS
      // TODO use env.dev and end.prod
      // TODO Implement helmet module
      // TODO Implement CSRF protection -> csurf module
      .apply(
        CspMiddleware,
        SecurityHeadersMiddleware,
--- a/backend/src/middleware/security-middleware/security.middleware.ts
+++ b/backend/src/middleware/security-middleware/security.middleware.ts
@ -13,6 +13,13 @@ export class SecurityHeadersMiddleware implements NestMiddleware {
        'max-age=63072000; includeSubDomains; preload'
      );
    }
    res.setHeader('Referrer-Policy', 'no-referrer');
    res.setHeader(
      'Permissions-Policy',
      'geolocation=(), microphone=(), camera=()'
    );
    res.setHeader('X-XSS-Protection', '1; mode=block');
    res.setHeader('X-Content-Type-Options', 'nosniff');
    res.setHeader('X-Frame-Options', 'SAMEORIGIN');
    next();
--- a/backend/src/modules/session/services/session-init.service.ts
+++ b/backend/src/modules/session/services/session-init.service.ts
@ -24,6 +24,7 @@ export class SessionInitService {
        ttl: 86400,
      }).connect(this.dataSource.getRepository(Session)),
      cookie: {
        // TODO: Check sameSite strict configuration on production
        maxAge: 86400000,
        httpOnly: true,
        secure:
@ -34,7 +35,7 @@ export class SessionInitService {
        sameSite:
          this.configService.get<string>('NODE_ENV') === 'development'
            ? 'strict'
-            : 'none',
+            : 'strict',
      },
    });
  }