Merge pull request #7 from evaristoc/feat/add_security

Feat/add security

Author: FreekBes

src/handlers/authentication.ts

@@ -69,6 +69,7 @@ export const usePassport = function(app: any, prisma: PrismaClient): void {
 		cookie: {
 			maxAge: 1000 * 60 * 60 * 24 * 7, // ms
 			secure: (NODE_ENV === 'production'), // Secure HTTPS cookies only in production
+			sameSite: "lax", // Bound the cookie to be sent only from self frontend (reduce exposurse to CSRF)
 		},
 		name: 'nl.codam.coalitions.session',
 		proxy: (NODE_ENV === 'production'), // Trust the X-Forwarded-Proto header

src/main.ts

@@ -52,6 +52,9 @@ const main = async () => {
 	// Set up the Express app
 	const app = express();
 
+	// Adding size limit to json request (DoS); 10kb seems to be standard
+	app.use(express.json({ limit: "10kb" }));
+
 	// Adding helmet
 	app.use(helmet.contentSecurityPolicy({
 		directives: {