express-ts-auth-service icon indicating copy to clipboard operation
express-ts-auth-service copied to clipboard

Published 20 hours ago verified publisher icon Louis3797

Deny using iframes and add allowed headers in cors

Open bmxpiku opened this issue 1 year ago • 0 comments

https://www.oreilly.com/library/view/nodejs-web-development/9781788626859/3d40c77e-d328-401b-bcc0-fdd6f71c2774.xhtml Unless you expect to use iframe- helmet by default allows 'sameorigin', then I would advise denying it.

Also, cors settings could have headers defined (this is my cors.ts file definition, but I deliver api for couple of frontend applications):

const whitelist = process.env.CORS_ORIGINS?.split('|') || [];

export default {
  origin(origin: string | undefined, callback: (arg0: Error, arg1?: boolean) => void): void {
    if (!origin || whitelist.some((val) => origin.match(val))) {
      callback(null, true);
    } else {
      callback(new Error('Not allowed by CORS'));
    }
  },
  maxAge: 86400,
  headers: [
    'Accept',
    'Authorization',
    'Content-Type',
    'If-None-Match',
    'BX-User-Token',
    'Trace-Id',
  ],
  exposedHeaders: ['WWW-Authenticate', 'Server-Authorization'],
  credentials: true,
};

bmxpiku avatar Mar 23 '23 10:03 bmxpiku