Harden response headers with helmet and a CSP
Description
The hand-rolled security-header middleware in src/index.ts sets X-Content-Type-Options, X-Frame-Options, Referrer-Policy, and Strict-Transport-Security, but it omits a Content-Security-Policy and Cross-Origin-* headers, and it duplicates logic that helmet maintains and patches. This issue adopts helmet with an explicit policy while preserving the current header values.
Requirements and context
- Repository scope:
StableRoute-Org/Stableroute-backend only.
- Add
helmet as a dependency and configure it to emit the existing four headers plus a restrictive Content-Security-Policy suitable for a JSON API (default-src 'none').
- Preserve the current HSTS
max-age=31536000; includeSubDomains.
- Keep the API responses unchanged for non-browser clients.
- Remove the now-redundant manual header middleware.
Suggested execution
- Fork the repo and create a branch
git checkout -b security/headers-07-helmet-csp
- Implement changes
- Write code in:
src/index.ts — replace the manual header middleware with a configured helmet() call; update package.json.
- Write comprehensive tests in:
src/__tests__/index.test.ts — assert the presence of CSP, HSTS, nosniff, and frame-deny headers on a /health response.
- Add documentation: note the header policy in
README.md.
- Add TSDoc/comment explaining the CSP choice for an API.
- Validate security: confirm no header is weakened versus the current behavior.
- Test and commit
Test and commit
- Run
npm run build, npm run lint, and npm test.
- Cover edge cases: assert each header individually.
- Paste full
npm test output in the PR.
Example commit message
feat(security): adopt helmet with a strict CSP for the JSON API
Guidelines
- Minimum 95 percent test coverage for impacted code.
- Clear, reviewer-focused documentation.
- Timeframe: 96 hours.
Community & contribution rewards
- 💬 Join the StableRoute community on Discord for questions, reviews, and faster merges: https://discord.gg/37aCpusvx
- ⭐ This is a GrantFox OSS / Official Campaign task and may be rewarded. When your PR is merged you'll be prompted to rate the project — if this issue and the maintainers helped you ship, we'd be grateful for a 5-star rating. Clear questions in Discord and tidy, well-tested PRs are the fastest path to a merge and a reward.
Harden response headers with helmet and a CSP
Description
The hand-rolled security-header middleware in
src/index.tssetsX-Content-Type-Options,X-Frame-Options,Referrer-Policy, andStrict-Transport-Security, but it omits a Content-Security-Policy andCross-Origin-*headers, and it duplicates logic thathelmetmaintains and patches. This issue adoptshelmetwith an explicit policy while preserving the current header values.Requirements and context
StableRoute-Org/Stableroute-backendonly.helmetas a dependency and configure it to emit the existing four headers plus a restrictiveContent-Security-Policysuitable for a JSON API (default-src 'none').max-age=31536000; includeSubDomains.Suggested execution
git checkout -b security/headers-07-helmet-cspsrc/index.ts— replace the manual header middleware with a configuredhelmet()call; updatepackage.json.src/__tests__/index.test.ts— assert the presence of CSP, HSTS, nosniff, and frame-deny headers on a/healthresponse.README.md.Test and commit
npm run build,npm run lint, andnpm test.npm testoutput in the PR.Example commit message
feat(security): adopt helmet with a strict CSP for the JSON APIGuidelines
Community & contribution rewards