## Context
The SIMS API needs to have security HTTP headers set for the endpoint
responses to satisfy some security issues raised by the WAVA scans.
Among the alternatives to achieve that, two of them can be highlighted
as most common:
1. Configure and set headers through the API itself;
2. Configure a reverse proxy to receive the client requests, redirect to
the API and change the response headers to the client.
## Configure and set headers through the API itself
Helmet.js is the middleware module recommended by
[Nest.js](https://docs.nestjs.com/security/helmet) and
[Express.js](https://expressjs.com/en/advanced/best-practice-security.html#use-helmet).
As its documentation mentions, we can achieve something similar [without
Helmet.js](https://helmetjs.github.io/faq/you-might-not-need-helmet/).
The middleware will set some headers by default and allow the developer
to customize it. Besides, it will organize it in a programmatically
[way](https://helmetjs.github.io/faq/conditional-options/).
Other middleware options:
- Lusca
- Security-Headers
- CSP-Header
- Express-Secure-Headers
It's also possible to set headers for the API responses without any
additional module by adding a middleware function:
```js
app.use((_, res, next) => {
res.setHeader("Cache-Control", "no-cache");
next();
});
```
## Configure a reverse proxy to receive the client requests, redirect to
the API and change the response headers to the client.
In the existing architecture, the existing Nginx server used for the web
module could also be configured as a reverse proxy for the API, adding
headers to the API requests.
Sample Nginx configuration:
```
location /api/ {
proxy_pass http://dev-api-sims:3000;
proxy_set_header Host $host;
proxy_set_header X-Content-Type-Options nosniff;
...
}
```
Although the Nginx configuration is not complex, having this redirection
of requests to the Nginx server would imply in changing API OpenShift
route to the Nginx Server, new log messages would be logged to Nginx
regarding the API requests and a new point of failure would be added.
Also, a reverse proxy is usually used to help us solve issues like CORS
configuration, Load Balancing, SSL/TLS Termination, Request Rate
limiting, Scalability, among others issues. In our architecture hosted
on OpenShift these issues are already or can be addressed either by
configuring OpenShift features or by setting in the API through
Express.js. For this reason this option was not chosen to be implemented
now.
## Implementation
In this PR it was added Helmet.js npm package and addressed some of the
issues presented by the Wava scan for the institution module. Some
headers were added without using Helmet because the Helmet module itself
doesn't support them. There's an additional module called
[nocache](https://github.com/helmetjs/nocache) that would be supposed to
deal with "Cache-Control" header but is not worth it to add a new npm
package just to add a [small middleware
function](https://github.com/helmetjs/nocache/blob/main/index.js).
### New Headers
## References
- https://docs.nestjs.com/security/helmet
-
https://expressjs.com/en/advanced/best-practice-security.html#use-helmet
- https://helmetjs.github.io/
- https://docs.nginx.com/nginx/admin-guide/web-server/reverse-proxy/
-
https://www.theserverside.com/blog/Coffee-Talk-Java-News-Stories-and-Opinions/How-to-setup-Nginx-reverse-proxy-servers-by-example
