Skip to content

security: adopt helmet with tuned csp#232

Open
pq198363-ops wants to merge 1 commit into
Agentpay-Org:mainfrom
pq198363-ops:bounty-50-helmet-csp
Open

security: adopt helmet with tuned csp#232
pq198363-ops wants to merge 1 commit into
Agentpay-Org:mainfrom
pq198363-ops:bounty-50-helmet-csp

Conversation

@pq198363-ops

Copy link
Copy Markdown

Closes #50

Summary

  • replaces the hand-set security header middleware with Helmet
  • configures a JSON API CSP with default-src 'none', frame-ancestors 'none', and explicit script/style/resource denial
  • preserves HSTS preload, frame deny, no-referrer, nosniff, and the existing Permissions-Policy restrictions
  • covers JSON, CSV/JSON download, and Prometheus metrics responses

TDD evidence

  • RED: npm run build; $env:NODE_ENV='test'; node --test dist/security-headers.test.js failed 3 tests because Content-Security-Policy header missing
  • GREEN: same focused command passed after adopting Helmet

Validation

  • npx prettier --check README.md src/middleware/index.ts src/security-headers.test.ts package.json package-lock.json
  • npm run lint
  • clean dist/, then npm run build
  • $env:NODE_ENV='test'; node --test dist/*.test.js dist/**/*.test.js

Full clean test summary: 92 tests, 11 suites, 92 pass, 0 fail.

Note: the package npm test script uses POSIX-style NODE_ENV=test, so on Windows PowerShell I ran the equivalent build plus node --test command above.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Replace the hand-rolled security-header middleware with Helmet and a tuned CSP

1 participant