Update Mockttp to tighten up CSRF protections there too

Author: pimterry

package-lock.json

@@ -45,7 +45,7 @@
     "graphql": "^14.0.2",
     "graphql-yoga": "^1.18.1",
     "lodash": "^4.17.13",
-    "mockttp": "^0.19.1",
+    "mockttp": "^0.19.2",
     "node-forge": "^0.9.0",
     "node-gsettings-wrapper": "^0.5.0",
     "portfinder": "^1.0.25",

package.json

@@ -3,7 +3,6 @@ import * as os from 'os';
 import * as events from 'events';
 import corsGate = require('cors-gate');
 import { GraphQLServer } from 'graphql-yoga';
-import * as Express from 'express';
 import { GraphQLScalarType } from 'graphql';
 
 import { HtkConfig } from './config';

src/httptoolkit-server.ts

@@ -86,6 +86,7 @@ export async function runHTK(options: {
             https: httpsConfig
         },
         corsOptions: {
+            strict: true,
             origin: ALLOWED_ORIGINS,
             maxAge: 86400 // Cache this result for as long as possible
         }

src/index.ts

@@ -92,7 +92,12 @@ describe('Integration test', function () {
     });
 
     it('starts a Mockttp server', async () => {
-        const mockttp = getRemote();
+        const mockttp = getRemote({
+            client: {
+                // Pretend to be a browser on the real site:
+                headers: { origin: 'https://app.httptoolkit.tech' }
+            }
+        });
         await mockttp.start();
         await mockttp.get('https://google.com').thenReply(200, 'Mock response');