Install helmet for making http headers such as referrer policy and frameoptions. (#281)

augusthjerrild · AugustHA-Iterator · fcv-iteratorIt · web-flow · commit 17ad57294675 · 2025-06-12T10:37:24.000+02:00
Co-authored-by: August Andersen &lt;aha@iterator-it.dk&gt;
Co-authored-by: Frederik Christ Vestergaard &lt;fcv@iterator-it.dk&gt;
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -62,6 +62,7 @@
         "cookie-parser": "^1.4.5",
         "crypto-js": "^4.2.0",
         "dayjs": "^1.11.13",
+        "helmet": "^8.1.0",
         "kafkajs": "^2.2.4",
         "lodash": "^4.17.20",
         "mqtt": "^4.3.7",
diff --git a/src/main.ts b/src/main.ts
@@ -8,6 +8,7 @@ import * as dotenv from "dotenv";
 import { setupNestJs } from "@loaders/nestjs";
 import { setupSwagger } from "@loaders/swagger";
 import configuration from "@config/configuration";
+import helmet from "helmet";
 
 async function bootstrap() {
   // Load .env file as environment before startup.
@@ -22,6 +23,16 @@ async function bootstrap() {
   };
   const server = express();
 
+  // Set security headers using Helmet
+  server.use(
+    helmet({
+      referrerPolicy: { policy: "no-referrer-when-downgrade" },
+      xFrameOptions: { action: "deny" },
+      hidePoweredBy: true,
+      strictTransportSecurity: { maxAge: 63072000, includeSubDomains: true, preload: true },
+    })
+  );
+
   const app = await setupNestJs(config, server);
   setupSwagger(app, config.SWAGGER_PREFIX);
 
