From c68334856b895ed4be8f31621ed0318ea2a9a6c9 Mon Sep 17 00:00:00 2001
From: August Andersen <aha@iterator-it.dk>
Date: Mon, 5 May 2025 11:57:05 +0200
Subject: [PATCH] Install helmet for making http headers such as referrer
 policy and frameoptions.

---
 package-lock.json |  9 +++++++++
 package.json      |  1 +
 src/main.ts       | 11 +++++++++++
 3 files changed, 21 insertions(+)

diff --git a/package-lock.json b/package-lock.json
index 595eb374..2802a5ef 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -42,6 +42,7 @@
                 "cookie-parser": "^1.4.5",
                 "crypto-js": "^4.2.0",
                 "dayjs": "^1.11.13",
+                "helmet": "^8.1.0",
                 "kafkajs": "^2.2.4",
                 "lodash": "^4.17.20",
                 "mqtt": "^4.3.7",
@@ -5790,6 +5791,14 @@
                 "node": ">= 0.4"
             }
         },
+        "node_modules/helmet": {
+            "version": "8.1.0",
+            "resolved": "https://registry.npmjs.org/helmet/-/helmet-8.1.0.tgz",
+            "integrity": "sha512-jOiHyAZsmnr8LqoPGmCjYAaiuWwjAPLgY8ZX2XrmHawt99/u1y6RgrZMTeoPfpUbV96HOalYgz1qzkRbw54Pmg==",
+            "engines": {
+                "node": ">=18.0.0"
+            }
+        },
         "node_modules/help-me": {
             "version": "3.0.0",
             "resolved": "https://registry.npmjs.org/help-me/-/help-me-3.0.0.tgz",
diff --git a/package.json b/package.json
index 084423e4..ea9e4535 100644
--- a/package.json
+++ b/package.json
@@ -62,6 +62,7 @@
         "cookie-parser": "^1.4.5",
         "crypto-js": "^4.2.0",
         "dayjs": "^1.11.13",
+        "helmet": "^8.1.0",
         "kafkajs": "^2.2.4",
         "lodash": "^4.17.20",
         "mqtt": "^4.3.7",
diff --git a/src/main.ts b/src/main.ts
index 5fd10f55..7d73e75e 100644
--- a/src/main.ts
+++ b/src/main.ts
@@ -8,6 +8,7 @@ import * as dotenv from "dotenv";
 import { setupNestJs } from "@loaders/nestjs";
 import { setupSwagger } from "@loaders/swagger";
 import configuration from "@config/configuration";
+import helmet from "helmet";
 
 async function bootstrap() {
   // Load .env file as environment before startup.
@@ -22,6 +23,16 @@ async function bootstrap() {
   };
   const server = express();
 
+  // Set security headers using Helmet
+  server.use(
+    helmet({
+      referrerPolicy: { policy: "no-referrer-when-downgrade" },
+      xFrameOptions: { action: "deny" },
+      hidePoweredBy: true,
+      strictTransportSecurity: { maxAge: 63072000, includeSubDomains: true, preload: true },
+    })
+  );
+
   const app = await setupNestJs(config, server);
   setupSwagger(app, config.SWAGGER_PREFIX);