From d8213d8f031ad57fddab52c25ce218c8f7681765 Mon Sep 17 00:00:00 2001
From: marcioaffonso <marcio_affonso@hotmail.com>
Date: Thu, 10 Sep 2020 17:28:19 +0200
Subject: [PATCH] [ECO-4623] - Add security headers

---
 api.yml                 | 1 +
 package-lock.json       | 5 +++++
 package.json            | 1 +
 server/serverMethods.js | 8 ++++++++
 4 files changed, 15 insertions(+)

diff --git a/api.yml b/api.yml
index ad9910b9c..05a5e1f80 100644
--- a/api.yml
+++ b/api.yml
@@ -18,6 +18,7 @@ produces:
 x-implementation-module: serverMethods.js
 x-implementation-middleware:
   - configReady
+  - securityHeaders
   - iframingOptions
   - featureEnabled
 x-implementation-configuration: loadConfig
diff --git a/package-lock.json b/package-lock.json
index 8abefc720..d73f15867 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -5946,6 +5946,11 @@
       "integrity": "sha512-F/1DnUGPopORZi0ni+CvrCgHQ5FyEAHRLSApuYWMmrbSwoN2Mn/7k+Gl38gJnR7yyDZk6WLXwiGod1JOWNDKGw==",
       "dev": true
     },
+    "helmet": {
+      "version": "4.1.0",
+      "resolved": "https://registry.npmjs.org/helmet/-/helmet-4.1.0.tgz",
+      "integrity": "sha512-KWy75fYN8hOG2Rhl8e5B3WhOzb0by1boQum85TiddIE9iu6gV+TXbUjVC17wfej0o/ZUpqB9kxM0NFCZRMzf+Q=="
+    },
     "hmac-drbg": {
       "version": "1.0.1",
       "resolved": "https://registry.npmjs.org/hmac-drbg/-/hmac-drbg-1.0.1.tgz",
diff --git a/package.json b/package.json
index b2eb77d47..40f3a4b30 100644
--- a/package.json
+++ b/package.json
@@ -49,6 +49,7 @@
     "grunt-html-build": "^0.7.1",
     "grunt-karma": "^0.12.2",
     "grunt-mocha-test": "^0.12.7",
+    "helmet": "^4.1.0",
     "ioredis": "^4.6.3",
     "lodash": "^4.17.19",
     "opentok": "^2.3.0",
diff --git a/server/serverMethods.js b/server/serverMethods.js
index 581968525..18004a2e0 100644
--- a/server/serverMethods.js
+++ b/server/serverMethods.js
@@ -12,12 +12,19 @@
 'use strict';
 
 var SwaggerBP = require('swagger-boilerplate');
+var helmet = require('helmet');
 var C = require('./serverConstants');
 var configLoader = require('./configLoader');
 var FirebaseArchives = require('./firebaseArchives');
 var GoogleAuth = require('./googleAuthStrategies');
 var testHealth = require('./testHealth');
 
+var securityHeaders = helmet({
+  referrerPolicy: { policy: 'no-referrer-when-downgrade' },
+  contentSecurityPolicy: false,
+  frameGuard: false, // configured by tbConfig.allowIframing
+});
+
 function ServerMethods(aLogLevel, aModules) {
   aModules = aModules || {};
 
@@ -848,6 +855,7 @@ function ServerMethods(aLogLevel, aModules) {
   return {
     logger,
     configReady,
+    securityHeaders,
     iframingOptions,
     featureEnabled,
     loadConfig,