Skip to content

Add Security Middleware (Helmet, CORS)#34

Merged
salazarsebas merged 3 commits intoScaffoldRust:mainfrom
Benjtalkshow:add-security-middleware
Aug 9, 2025
Merged

Add Security Middleware (Helmet, CORS)#34
salazarsebas merged 3 commits intoScaffoldRust:mainfrom
Benjtalkshow:add-security-middleware

Conversation

@Benjtalkshow
Copy link
Contributor

@Benjtalkshow Benjtalkshow commented Aug 5, 2025

Closes #27

Add Security Middleware (Helmet & CORS)

Summary

This PR integrates essential security middleware into the Express.js backend to protect against common web vulnerabilities and restrict API access to authorized origins.

Changes Made

  • Added Helmet middleware for secure HTTP headers
  • Configured CORS to restrict API access to http://localhost:4200 only
  • Enhanced error handling with proper middleware stack
  • Added request parsing middleware for JSON and URL-encoded data

Security Enhancements

Helmet Protection

  • X-Content-Type-Options: Prevents MIME type sniffing attacks
  • X-Frame-Options: Blocks clickjacking attempts
  • X-XSS-Protection: Enables browser XSS filtering
  • Strict-Transport-Security: Enforces secure HTTPS connections
  • Content-Security-Policy: Controls resource loading and execution

CORS Configuration

  • Origin Restriction: Only allows requests from http://localhost:4200
  • Method Control: Supports GET, POST, PUT, DELETE, OPTIONS
  • Credential Support: Enables authentication cookies/headers
  • Header Validation: Restricts allowed request headers

Files Modified

  • apps/backend/src/index.ts - Added security middleware configuration

Dependencies Added

{
  "helmet": "^7.x.x",
  "cors": "^2.x.x",
  "@types/cors": "^2.x.x"
}

Testing

  • Server starts without errors
  • Security headers present in all responses
  • CORS allows Angular frontend (localhost:4200)
  • CORS blocks unauthorized origins
  • Error handling works correctly
  • Original functionality preserved

Security Impact

  • High: Protects against XSS, clickjacking, and MIME sniffing
  • Medium: Prevents unauthorized cross-origin API access
  • Low: Improves error response security

Performance Impact

Minimal - middleware adds ~1ms overhead per request.

@salazarsebas
Copy link
Member

salazarsebas commented Aug 8, 2025

Please resolve the conflicts. And also fix the workflow errors.

@Benjtalkshow

@Benjtalkshow
Copy link
Contributor Author

Benjtalkshow commented Aug 8, 2025

Please resolve the conflicts. And also fix the workflow errors.

@Benjtalkshow

Ok

@Benjtalkshow
Copy link
Contributor Author

Benjtalkshow commented Aug 8, 2025

Conflict fixed!! Kindly review @salazarsebas

salazarsebas
salazarsebas approved these changes Aug 9, 2025
View reviewed changes
Copy link
Member

@salazarsebas salazarsebas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@salazarsebas salazarsebas merged commit 787a624 into ScaffoldRust:main Aug 9, 2025
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@salazarsebas salazarsebas salazarsebas approved these changes

Assignees

@Benjtalkshow Benjtalkshow

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add Security Middleware (Helmet, CORS) [backend]

2 participants

@Benjtalkshow @salazarsebas