From 411bb42177cd4ee2769a95d9816d3e6ed584699b Mon Sep 17 00:00:00 2001
From: Kyle Morel <kyle.1.morel@gov.bc.ca>
Date: Mon, 18 Dec 2023 09:59:47 -0800
Subject: [PATCH] Implement Helmet content security policy

---
 app/app.js            | 13 +++++++++++++
 app/package-lock.json | 14 ++++++++++++++
 app/package.json      |  1 +
 3 files changed, 28 insertions(+)

diff --git a/app/app.js b/app/app.js
index 4d273cea..b2e4936b 100644
--- a/app/app.js
+++ b/app/app.js
@@ -3,6 +3,7 @@ const compression = require('compression');
 const config = require('config');
 const cors = require('cors');
 const express = require('express');
+const helmet = require('helmet');
 
 const { name: appName, version: appVersion } = require('./package.json');
 const { AuthMode, DEFAULTCORS } = require('./src/components/constants');
@@ -33,6 +34,18 @@ const app = express();
 app.use(compression());
 app.use(cors(DEFAULTCORS));
 app.use(express.urlencoded({ extended: true }));
+app.use(
+  helmet({
+    contentSecurityPolicy: {
+      directives: {
+        'default-src': [
+          "'self'", // eslint-disable-line
+          new URL(config.get('keycloak.serverUrl')).origin
+        ]
+      }
+    }
+  })
+);
 
 // Skip if running tests
 if (process.env.NODE_ENV !== 'test') {
diff --git a/app/package-lock.json b/app/package-lock.json
index f4f7e4f4..57bd56e7 100644
--- a/app/package-lock.json
+++ b/app/package-lock.json
@@ -21,6 +21,7 @@
         "express": "^4.18.2",
         "express-basic-auth": "^1.2.1",
         "express-winston": "^4.2.0",
+        "helmet": "^7.1.0",
         "joi": "^17.11.0",
         "js-yaml": "^4.1.0",
         "jsonwebtoken": "^9.0.2",
@@ -8144,6 +8145,14 @@
         "url": "https://github.com/sponsors/ljharb"
       }
     },
+    "node_modules/helmet": {
+      "version": "7.1.0",
+      "resolved": "https://registry.npmjs.org/helmet/-/helmet-7.1.0.tgz",
+      "integrity": "sha512-g+HZqgfbpXdCkme/Cd/mZkV0aV3BZZZSugecH03kl38m/Kmdx8jKjBikpDj2cr+Iynv4KpYEviojNdTJActJAg==",
+      "engines": {
+        "node": ">=16.0.0"
+      }
+    },
     "node_modules/hexoid": {
       "version": "1.0.0",
       "resolved": "https://registry.npmjs.org/hexoid/-/hexoid-1.0.0.tgz",
@@ -20330,6 +20339,11 @@
         "has-symbols": "^1.0.2"
       }
     },
+    "helmet": {
+      "version": "7.1.0",
+      "resolved": "https://registry.npmjs.org/helmet/-/helmet-7.1.0.tgz",
+      "integrity": "sha512-g+HZqgfbpXdCkme/Cd/mZkV0aV3BZZZSugecH03kl38m/Kmdx8jKjBikpDj2cr+Iynv4KpYEviojNdTJActJAg=="
+    },
     "hexoid": {
       "version": "1.0.0",
       "resolved": "https://registry.npmjs.org/hexoid/-/hexoid-1.0.0.tgz",
diff --git a/app/package.json b/app/package.json
index a274e46b..a1095860 100644
--- a/app/package.json
+++ b/app/package.json
@@ -41,6 +41,7 @@
     "express": "^4.18.2",
     "express-basic-auth": "^1.2.1",
     "express-winston": "^4.2.0",
+    "helmet": "^7.1.0",
     "joi": "^17.11.0",
     "js-yaml": "^4.1.0",
     "jsonwebtoken": "^9.0.2",