Skip to content

Commit 8f4d1e0

Browse files
PauloGoncalvesBHPauloGoncalvesBH
committed
perf: retirar dependência 'helmet'
1 parent 84641b4 commit 8f4d1e0

File tree

5 files changed

+47
-140
lines changed

5 files changed

+47
-140
lines changed

package-lock.json

Lines changed: 0 additions & 135 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

package.json

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -41,7 +41,6 @@
4141
"express": "^4.17.1",
4242
"express-query-int": "^3.0.0",
4343
"express-validation": "^3.0.2",
44-
"helmet": "^3.22.0",
4544
"jsonwebtoken": "^8.5.1",
4645
"morgan": "^1.10.0",
4746
"nedb": "^1.8.0",

src/app.js

Lines changed: 12 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,6 @@
11
'use strict'
22

33
const express = require('express')
4-
const helmet = require('helmet')
54
const logger = require('morgan')
65
const queryParser = require('express-query-int')
76
const timeout = require('connect-timeout')
@@ -15,8 +14,18 @@ app.use(express.urlencoded({ extended: false }))
1514
app.use(queryParser())
1615
app.use(timeout())
1716

18-
if (conf.utilizarHeaderDeSeguranca) {
19-
app.use(helmet())
17+
if (!conf.semHeaderDeSeguranca) {
18+
app.disable('x-powered-by')
19+
app.use((req, res, next) => {
20+
res.set('x-dns-prefetch-control', 'off')
21+
res.set('x-frame-options', 'SAMEORIGIN')
22+
res.set('strict-transport-security', 'max-age=15552000; includeSubDomains')
23+
res.set('x-download-options', 'noopen')
24+
res.set('x-content-type-options', 'nosniff')
25+
res.set('x-xss-protection', '1; mode=block')
26+
res.set('content-type', 'application/json; charset=utf-8')
27+
next()
28+
})
2029
}
2130

2231
app.use(logger('dev'))

src/server.js

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -42,7 +42,7 @@ const argv = require('yargs')
4242
.argv
4343

4444
conf.tokenTimeout = argv.timeout
45-
conf.utilizarHeaderDeSeguranca = !argv.nosec
45+
conf.semHeaderDeSeguranca = argv.nosec
4646
conf.semBearer = argv.nobearer
4747
const DEFAULT_PORT = 3000
4848

test/outros/seguranca.test.js

Lines changed: 34 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,34 @@
1+
const chai = require('chai')
2+
const joi = require('@hapi/joi')
3+
4+
describe('SEGURANÇA', () => {
5+
it('Validar presença de headers de segurança', async () => {
6+
const rotas = ['/produtos', '/usuarios', '/carrinhos']
7+
const rotaAleatoria = rotas[Math.floor(Math.random() * rotas.length)]
8+
const { headers } = await request.get(rotaAleatoria).expect(200)
9+
10+
chai.assert.include(headers, {
11+
'x-dns-prefetch-control': 'off',
12+
'x-frame-options': 'SAMEORIGIN',
13+
'strict-transport-security': 'max-age=15552000; includeSubDomains',
14+
'x-download-options': 'noopen',
15+
'x-content-type-options': 'nosniff',
16+
'x-xss-protection': '1; mode=block',
17+
'content-type': 'application/json; charset=utf-8'
18+
})
19+
20+
joi.assert(headers, joi.object().keys({
21+
'x-dns-prefetch-control': joi.any(),
22+
'x-frame-options': joi.any(),
23+
'strict-transport-security': joi.any(),
24+
'x-download-options': joi.any(),
25+
'x-content-type-options': joi.any(),
26+
'x-xss-protection': joi.any(),
27+
'content-type': joi.any(),
28+
'content-length': joi.any(),
29+
etag: joi.any(),
30+
date: joi.any(),
31+
connection: joi.any()
32+
}).required())
33+
})
34+
})

0 commit comments

Comments
 (0)