feat(security): Integrate helmet for enhanced security headers and update dependencies

codevoid048 · codevoid048 · commit 7c160e54f0a7 · 2025-10-27T02:18:48.000+05:30
diff --git a/server/app.js b/server/app.js
@@ -1,5 +1,6 @@
 import express from "express";
 import cors from "cors";
+import helmet from "helmet";
 import authRoutes from "./routes/authRoutes.js";
 import profileRoutes from "./routes/profileRoutes.js";
 import challengeRoutes from "./routes/challengeRoutes.js";
@@ -22,6 +23,31 @@ const app = express();
 
 app.use(cors({ origin: process.env.CLIENT_URL, credentials: true }));
 
+// Security headers
+app.use(helmet({
+  contentSecurityPolicy: {
+    directives: {
+      defaultSrc: ["'self'"],
+      styleSrc: ["'self'", "'unsafe-inline'", "https://fonts.googleapis.com"],
+      fontSrc: ["'self'", "https://fonts.gstatic.com"],
+      imgSrc: ["'self'", "data:", "https:"],
+      scriptSrc: ["'self'"],
+      connectSrc: ["'self'", "https:"],
+      frameSrc: ["'none'"],
+      objectSrc: ["'none'"],
+      upgradeInsecureRequests: [],
+    },
+  },
+  hsts: {
+    maxAge: 31536000,
+    includeSubDomains: true,
+    preload: true
+  },
+  noSniff: true,
+  xssFilter: true,
+  referrerPolicy: { policy: "strict-origin-when-cross-origin" }
+}));
+
 app.use(express.json({ limit: '2mb' }));
 
 app.use(express.urlencoded({ limit: '2mb', extended: false }));
diff --git a/server/lib/dbIndexes.js b/server/lib/dbIndexes.js
@@ -3,7 +3,7 @@ import mongoose from "mongoose";
 // Drop and recreate all performance indexes
 export const createOptimalIndexes = async () => {
     try {
-        console.log('Setting up database indexes...');
+        // console.log('Setting up database indexes...');
         
         const usersCollection = mongoose.connection.db.collection('users');
         const challengesCollection = mongoose.connection.db.collection('challenges');
@@ -37,7 +37,7 @@ export const createOptimalIndexes = async () => {
         await challengesCollection.createIndex({ title: 'text', category: 'text' }, { name: 'challenge_search_idx' });
         await challengesCollection.createIndex({ solvedUsers: 1 }, { sparse: true, name: 'solved_users_idx' });
         
-        console.log('Database indexes created successfully');
+        // console.log('Database indexes created successfully');
         
     } catch (error) {
         console.error('Error setting up database indexes:', error);
diff --git a/server/package-lock.json b/server/package-lock.json
diff --git a/server/package.json b/server/package.json
@@ -28,6 +28,7 @@
     "dotenv": "^16.4.7",
     "express": "^4.21.2",
     "express-session": "^1.18.1",
+    "helmet": "^8.1.0",
     "jsonwebtoken": "^9.0.2",
     "moment-timezone": "^0.5.48",
     "mongoose": "^8.12.2",
