Feature/setup helmet (#2096)

* Setup helmet * Update changelog
11 months ago · bf52f1137d
parent 54ea6c84b4
commit bf52f1137d
4 changed files with 14 additions and 2 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -11,6 +11,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

 - Added the caching for current market prices
 - Added a loading indicator to the import dividends dialog
+- Set up the `helmet` middleware to protect the app from web vulnerabilities by setting HTTP headers

 ### Changed

@ -1118,7 +1119,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

 - Added support to change the appearance (dark mode) in user settings
 - Added the total amount chart to the investment timeline
- Setup the `prettier` plugin `prettier-plugin-organize-attributes`
+- Set up the `prettier` plugin `prettier-plugin-organize-attributes`

 ### Changed

--- a/apps/api/src/main.ts
+++ b/apps/api/src/main.ts
@ -1,7 +1,9 @@
 import { Logger, ValidationPipe, VersioningType } from '@nestjs/common';
 import { ConfigService } from '@nestjs/config';
 import { NestFactory } from '@nestjs/core';
+import type { NestExpressApplication } from '@nestjs/platform-express';
 import * as bodyParser from 'body-parser';
+import helmet from 'helmet';

 import { AppModule } from './app/app.module';
 import { environment } from './environments/environment';
@ -10,11 +12,12 @@ async function bootstrap() {
  const configApp = await NestFactory.create(AppModule);
  const configService = configApp.get<ConfigService>(ConfigService);

-  const app = await NestFactory.create(AppModule, {
+  const app = await NestFactory.create<NestExpressApplication>(AppModule, {
    logger: environment.production
      ? ['error', 'log', 'warn']
      : ['debug', 'error', 'log', 'verbose', 'warn']
  });
+
  app.enableCors();
  app.enableVersioning({
    defaultVersion: '1',
@ -32,6 +35,8 @@ async function bootstrap() {
  // Support 10mb csv/json files for importing activities
  app.use(bodyParser.json({ limit: '10mb' }));

+  app.use(helmet());
+
  const BASE_CURRENCY = configService.get<string>('BASE_CURRENCY');
  const HOST = configService.get<string>('HOST') || '0.0.0.0';
  const PORT = configService.get<number>('PORT') || 3333;
--- a/package.json
+++ b/package.json
@ -105,6 +105,7 @@
    "date-fns": "2.29.3",
    "envalid": "7.3.1",
    "google-spreadsheet": "3.2.0",
+    "helmet": "7.0.0",
    "http-status-codes": "2.2.0",
    "ionicons": "7.1.0",
    "lodash": "4.17.21",
--- a/yarn.lock
+++ b/yarn.lock
@ -10720,6 +10720,11 @@ heap@^0.2.6:
  resolved "https://registry.yarnpkg.com/heap/-/heap-0.2.7.tgz#1e6adf711d3f27ce35a81fe3b7bd576c2260a8fc"
  integrity sha512-2bsegYkkHO+h/9MGbn6KWcE45cHZgPANo5LXF7EvWdT0yT2EguSVO1nDgU5c8+ZOPwp2vMNa7YFsJhVcDR9Sdg==

+helmet@7.0.0:
+  version "7.0.0"
+  resolved "https://registry.yarnpkg.com/helmet/-/helmet-7.0.0.tgz#ac3011ba82fa2467f58075afa58a49427ba6212d"
+  integrity sha512-MsIgYmdBh460ZZ8cJC81q4XJknjG567wzEmv46WOBblDb6TUd3z8/GhgmsM9pn8g2B80tAJ4m5/d3Bi1KrSUBQ==
+
 hmac-drbg@^1.0.1:
  version "1.0.1"
  resolved "https://registry.yarnpkg.com/hmac-drbg/-/hmac-drbg-1.0.1.tgz#d2745701025a6c775a6c545793ed502fc0c649a1"