Skip to content

feat(security): adopt helmet with a strict CSP#245

Open
changliuchang777 wants to merge 1 commit into
StableRoute-Org:mainfrom
changliuchang777:security/headers-07-helmet-csp
Open

feat(security): adopt helmet with a strict CSP#245
changliuchang777 wants to merge 1 commit into
StableRoute-Org:mainfrom
changliuchang777:security/headers-07-helmet-csp

Conversation

@changliuchang777

Copy link
Copy Markdown

Summary

  • replace the manual security-header middleware with Helmet
  • add a strict CSP using default-src 'none' while preserving nosniff, DENY frameguard, no-referrer, and HSTS includeSubDomains
  • cover the CSP and existing security headers in the security header regression test
  • document the default Helmet-backed headers in README

Fixes #7

Validation

  • git diff --check passed
  • npm test -- --runInBand src/__tests__/securityHeaders.test.ts blocked by existing baseline parse error in src/index.ts: duplicate WEBHOOK_MAX_EVENTS
  • npm run build blocked by existing baseline TypeScript errors in src/index.ts and src/__tests__/store.adapter.test.ts; the new helmet dependency resolves locally after install
  • npm run lint blocked by existing baseline lint errors unrelated to this change

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Add a Content-Security-Policy and remove duplicate header logic via helmet

1 participant