Skip to content

Add a Content-Security-Policy and remove duplicate header logic via helmet #7

Description

@mikewheeleer

Harden response headers with helmet and a CSP

Description

The hand-rolled security-header middleware in src/index.ts sets X-Content-Type-Options, X-Frame-Options, Referrer-Policy, and Strict-Transport-Security, but it omits a Content-Security-Policy and Cross-Origin-* headers, and it duplicates logic that helmet maintains and patches. This issue adopts helmet with an explicit policy while preserving the current header values.

Requirements and context

  • Repository scope: StableRoute-Org/Stableroute-backend only.
  • Add helmet as a dependency and configure it to emit the existing four headers plus a restrictive Content-Security-Policy suitable for a JSON API (default-src 'none').
  • Preserve the current HSTS max-age=31536000; includeSubDomains.
  • Keep the API responses unchanged for non-browser clients.
  • Remove the now-redundant manual header middleware.

Suggested execution

  • Fork the repo and create a branch
  • git checkout -b security/headers-07-helmet-csp
  • Implement changes
    • Write code in: src/index.ts — replace the manual header middleware with a configured helmet() call; update package.json.
    • Write comprehensive tests in: src/__tests__/index.test.ts — assert the presence of CSP, HSTS, nosniff, and frame-deny headers on a /health response.
    • Add documentation: note the header policy in README.md.
    • Add TSDoc/comment explaining the CSP choice for an API.
    • Validate security: confirm no header is weakened versus the current behavior.
  • Test and commit

Test and commit

  • Run npm run build, npm run lint, and npm test.
  • Cover edge cases: assert each header individually.
  • Paste full npm test output in the PR.

Example commit message

feat(security): adopt helmet with a strict CSP for the JSON API

Guidelines

  • Minimum 95 percent test coverage for impacted code.
  • Clear, reviewer-focused documentation.
  • Timeframe: 96 hours.

Community & contribution rewards

  • 💬 Join the StableRoute community on Discord for questions, reviews, and faster merges: https://discord.gg/37aCpusvx
  • ⭐ This is a GrantFox OSS / Official Campaign task and may be rewarded. When your PR is merged you'll be prompted to rate the project — if this issue and the maintainers helped you ship, we'd be grateful for a 5-star rating. Clear questions in Discord and tidy, well-tested PRs are the fastest path to a merge and a reward.

Metadata

Metadata

Assignees

No one assigned

    Fields

    No fields configured for Feature.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions