feat(Security): Secure app using helmet (#21)

kunalkapadia · web-flow · commit 427199984996 · 2016-07-15T20:35:10.000+05:30
Closes #13
diff --git a/README.md b/README.md
@@ -29,6 +29,7 @@ Heavily inspired from [Egghead.io - How to Write an Open Source JavaScript Libra
 | Debugging via [debug](https://www.npmjs.com/package/debug)           | Instead of inserting and deleting console.log you can replace it with the debug function and just leave it there. You can then selectively debug portions of your code by setting DEBUG env variable. If DEBUG env variable is not set, nothing is displayed to the console.                       |
 | Promisified Code via [bluebird](https://github.com/petkaantonov/bluebird)           | We love promise, don't we ? All our code is promisified and even so our tests via [supertest-as-promised](https://www.npmjs.com/package/supertest-as-promised).                       |
 | API parameter validation via [express-validation](https://www.npmjs.com/package/express-validation)           | Validate body, params, query, headers and cookies of a request (via middleware) and return a response with errors; if any of the configured validation rules fail. You won't anymore need to make your route handler dirty with such validations. |
+| Secure app via [helmet](https://github.com/helmetjs/helmet)           | Helmet helps secure Express apps by setting various HTTP headers. |
 
 - CORS support via [cors](https://github.com/troygoode/node-cors)
 - Uses [http-status](https://www.npmjs.com/package/http-status) to set http status code. It is recommended to use `httpStatus.INTERNAL_SERVER_ERROR` instead of directly using `500` when setting status code.
diff --git a/config/express.js b/config/express.js
@@ -8,6 +8,7 @@ import cors from 'cors';
 import httpStatus from 'http-status';
 import expressWinston from 'express-winston';
 import expressValidation from 'express-validation';
+import helmet from 'helmet';
 import winstonInstance from './winston';
 import routes from '../server/routes';
 import config from './env';
@@ -27,8 +28,8 @@ app.use(cookieParser());
 app.use(compress());
 app.use(methodOverride());
 
-// disable 'X-Powered-By' header in response
-app.disable('x-powered-by');
+// secure apps by setting various HTTP headers
+app.use(helmet());
 
 // enable CORS - Cross Origin Resource Sharing
 app.use(cors());
diff --git a/package.json b/package.json
@@ -44,6 +44,7 @@
     "express": "4.14.0",
     "express-validation": "1.0.0",
     "express-winston": "^1.2.0",
+    "helmet": "2.1.1",
     "http-status": "^0.2.0",
     "joi": "8.4.2",
     "lodash": "^4.0.1",
