Security middleware implementation

[spartDev]

Status

• WIP
• Ready for review
• Needs testing

Deploy after merge (delete what needn't be deployed)

• api
• hyperion (frontend)
• pluto

Release notes for users (delete if codebase-only change)

• Create security middleware for different node servers to improve security.

• use of Helmet with some configurations:

  • we don' want to expose any software information to hackers.

   server.disable('x-powered-by');

  • Sets the X-XSS-Protection header to prevent reflected XSS attacks. more info
  • Mitigates clickjacking attacks by setting the X-Frame-Options header. more info
  • Sets the X-Download-Options to prevent Internet Explorer from executing downloads in your site’s context. more info
  • Don’t Sniff Mimetype middleware, noSniff, helps prevent browsers from trying yo guess (“sniff”) the MIME type, which can have security implications. more info

• use of Hpp express middleware to protect against HTTP Parameter Pollution attacks

Finally, I prefer to separate things and implement the CSP (Content Security Policy) rules in a future PR

close: #2775

[mxstbr]

Overall this looks good to me so far, I'll deploy it to alpha.spectrum.chat and see how well it works!

Notes:

• pluto doesn't need this, only the api and hyperion

[spartDev]

I was not sure about pluto.
I made the change

[mxstbr]

I'm deploying this to alpha.spectrum.chat!

[mxstbr]

Works perfectly, cannot find any bugs! Thanks so much for digging into this, shipping!

[spartDev]

👍

[brianlovin]

Awesome stuff here @spartDev :D