From 81d7ec215c2cc38d0c2b953554e4c7183312dab1 Mon Sep 17 00:00:00 2001
From: Nursoltan Saipolda <nursoltan.saipolda@chemantics.com>
Date: Mon, 18 Jul 2022 15:35:30 +0800
Subject: [PATCH] add http security headers

---
 server.js | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/server.js b/server.js
index 9b7653a5..7aa29253 100644
--- a/server.js
+++ b/server.js
@@ -16,6 +16,16 @@ function check () {
   return true
 }
 app.use(healthCheck.middleware([check]))
+app.use((req, res, next) => {
+  res.header('Referrer-Policy', 'strict-origin-when-cross-origin');
+  res.header('Permissions-Policy', 'geolocation=(), microphone=(), camera=()');
+  res.header('X-Content-Type-Options', 'nosniff');
+  res.header('Strict-Transport-Security', 'max-age=31536000; includeSubDomains; preload');
+  res.header('Cache-control', 'public, max-age=0');
+  res.header('Pragma', 'no-cache');
+
+  next();
+});
 // app.use(requireHTTPS) // removed because app servers don't handle https
 // app.use(express.static(__dirname))
 app.use(express.static(path.join(__dirname, 'build')))