added some security features

2024-09-16 23:36:10 +02:00 · 2024-09-16 23:36:10 +02:00 · 43d27368fc
parent 1add1e573f
commit 43d27368fc
3 changed files with 12 additions and 1 deletions
--- a/backend/src/app.module.ts
+++ b/backend/src/app.module.ts
@ -36,6 +36,9 @@ export class AppModule {
  public configure(consumer: MiddlewareConsumer): void {
    consumer
      // TODO Redirect via Reverse Proxy all HTTP requests to HTTPS
+      // TODO use env.dev and end.prod
+      // TODO Implement helmet module
+      // TODO Implement CSRF protection -> csurf module
      .apply(
        CspMiddleware,
        SecurityHeadersMiddleware,
--- a/backend/src/middleware/security-middleware/security.middleware.ts
+++ b/backend/src/middleware/security-middleware/security.middleware.ts
@ -13,6 +13,13 @@ export class SecurityHeadersMiddleware implements NestMiddleware {
        'max-age=63072000; includeSubDomains; preload'
      );
    }
+    res.setHeader('Referrer-Policy', 'no-referrer');
+    res.setHeader(
+      'Permissions-Policy',
+      'geolocation=(), microphone=(), camera=()'
+    );
+    res.setHeader('X-XSS-Protection', '1; mode=block');
+
    res.setHeader('X-Content-Type-Options', 'nosniff');
    res.setHeader('X-Frame-Options', 'SAMEORIGIN');
    next();
--- a/backend/src/modules/session/services/session-init.service.ts
+++ b/backend/src/modules/session/services/session-init.service.ts
@ -24,6 +24,7 @@ export class SessionInitService {
        ttl: 86400,
      }).connect(this.dataSource.getRepository(Session)),
      cookie: {
+        // TODO: Check sameSite strict configuration on production
        maxAge: 86400000,
        httpOnly: true,
        secure:
@ -34,7 +35,7 @@ export class SessionInitService {
        sameSite:
          this.configService.get<string>('NODE_ENV') === 'development'
            ? 'strict'
-            : 'none',
+            : 'strict',
      },
    });
  }