Merge pull request #301 from grtjn/287-helmet

Fixed #287: added helmet package for slightly better security

Author: grtjn

app/templates/node-server/node-app.js

@@ -2,6 +2,7 @@
 'use strict';
 
 var express = require('express');
+var helmet = require('helmet');
 var expressSession = require('express-session');
 var app = express();
 var logger = require('morgan');
@@ -11,6 +12,21 @@ var options = require('./utils/options')();
 var port = options.appPort;
 var environment = options.env;
 
+// Making this middle-tier slightly more secure: https://www.npmjs.com/package/helmet#how-it-works
+app.use(helmet({
+  csp: { // enable and configure
+    directives: {
+      defaultSrc: ['"self"']
+    },
+    setAllHeaders: true
+  },
+  dnsPrefetchControl: true, // just enable, with whatever defaults
+  xssFilter: { // enabled by default, but override defaults
+    setOnOldIE: true
+  },
+  noCache: false // make sure it is disabled
+}));
+
 app.use(expressSession({
   name: '@sample-app-name',
   secret: '1234567890QWERTY',

app/templates/package.json

@@ -5,6 +5,7 @@
     "body-parser": "^1.14.0",
     "express": "^4.4.1",
     "express-session": "^1.5.0",
+    "helmet": "^2.0.0",
     "morgan": "^1.6.0"
   },
   "devDependencies": {