backend/src/app.module.ts

@@ -36,6 +36,9 @@ export class AppModule {
   public configure(consumer: MiddlewareConsumer): void {
     consumer
       // TODO Redirect via Reverse Proxy all HTTP requests to HTTPS
+      // TODO use env.dev and end.prod
+      // TODO Implement helmet module
+      // TODO Implement CSRF protection -> csurf module
       .apply(
         CspMiddleware,
         SecurityHeadersMiddleware,

backend/src/middleware/security-middleware/security.middleware.ts

@@ -13,6 +13,13 @@ export class SecurityHeadersMiddleware implements NestMiddleware {
         'max-age=63072000; includeSubDomains; preload'
       );
     }
+    res.setHeader('Referrer-Policy', 'no-referrer');
+    res.setHeader(
+      'Permissions-Policy',
+      'geolocation=(), microphone=(), camera=()'
+    );
+    res.setHeader('X-XSS-Protection', '1; mode=block');
+
     res.setHeader('X-Content-Type-Options', 'nosniff');
     res.setHeader('X-Frame-Options', 'SAMEORIGIN');
     next();

backend/src/modules/session/services/session-init.service.ts

@@ -24,6 +24,7 @@ export class SessionInitService {
         ttl: 86400,
       }).connect(this.dataSource.getRepository(Session)),
       cookie: {
+        // TODO: Check sameSite strict configuration on production
         maxAge: 86400000,
         httpOnly: true,
         secure:
@@ -34,7 +35,7 @@ export class SessionInitService {
         sameSite:
           this.configService.get<string>('NODE_ENV') === 'development'
             ? 'strict'
-            : 'none',
+            : 'strict',
       },
     });
   }