From bb5998542f5eb7d429695167af22da7c5d6048e0 Mon Sep 17 00:00:00 2001 From: xpoes123 Date: Mon, 29 Jun 2026 23:41:09 -0400 Subject: [PATCH] security: set baseline security response headers --- app.js | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/app.js b/app.js index 1b4ababa6..860030565 100644 --- a/app.js +++ b/app.js @@ -16,6 +16,15 @@ if (process.env.NODE_ENV !== 'production') { app.use(morgan('dev')); } +app.use((req, res, next) => { + res.set({ + 'X-Content-Type-Options': 'nosniff', + 'X-Frame-Options': 'SAMEORIGIN', + 'Referrer-Policy': 'strict-origin-when-cross-origin' + }); + next(); +}); + // https://stackoverflow.com/questions/10348906/how-to-know-if-a-request-is-http-or-https-in-node-js app.enable('trust proxy'); app.use(hostnameRedirection);