Merge pull request #643 from marcioaffonso/ECO-4623

[ECO-4623] - Add security headers
opentok · Sep 10, 2020 · 07a5554 · 07a5554
2 parents 46f96e9 + d8213d8
commit 07a5554
Show file tree

Hide file tree

Showing 4 changed files with 15 additions and 0 deletions.
diff --git a/api.yml b/api.yml
@@ -18,6 +18,7 @@ produces:
 x-implementation-module: serverMethods.js
 x-implementation-middleware:
   - configReady
+  - securityHeaders
   - iframingOptions
   - featureEnabled
 x-implementation-configuration: loadConfig

diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -49,6 +49,7 @@
     "grunt-html-build": "^0.7.1",
     "grunt-karma": "^0.12.2",
     "grunt-mocha-test": "^0.12.7",
+    "helmet": "^4.1.0",
     "ioredis": "^4.6.3",
     "lodash": "^4.17.19",
     "opentok": "^2.3.0",

diff --git a/server/serverMethods.js b/server/serverMethods.js
@@ -12,12 +12,19 @@
 'use strict';
 
 var SwaggerBP = require('swagger-boilerplate');
+var helmet = require('helmet');
 var C = require('./serverConstants');
 var configLoader = require('./configLoader');
 var FirebaseArchives = require('./firebaseArchives');
 var GoogleAuth = require('./googleAuthStrategies');
 var testHealth = require('./testHealth');
 
+var securityHeaders = helmet({
+  referrerPolicy: { policy: 'no-referrer-when-downgrade' },
+  contentSecurityPolicy: false,
+  frameGuard: false, // configured by tbConfig.allowIframing
+});
+
 function ServerMethods(aLogLevel, aModules) {
   aModules = aModules || {};
 
@@ -848,6 +855,7 @@ function ServerMethods(aLogLevel, aModules) {
   return {
     logger,
     configReady,
+    securityHeaders,
     iframingOptions,
     featureEnabled,
     loadConfig,