Xendit #0008 - Security

index.js

@@ -4,10 +4,11 @@ const sqlite3 = require('sqlite3').verbose();
 
 const db = new sqlite3.Database(':memory:');
 const buildSchemas = require('./src/schemas');
+const logger = require('./src/lib/logger');
 
 db.serialize(() => {
   buildSchemas(db);
 
   const app = require('./src/app')(db);
-  app.listen(port, () => console.log(`App started and listening on port ${port}`));
+  app.listen(port, () => logger.info(`App started and listening on port ${port}`));
 });

package.json

@@ -20,6 +20,7 @@
     "body-parser": "^1.19.0",
     "express": "^4.16.4",
     "faker": "^5.1.0",
+    "helmet": "^4.1.1",
     "http-status-codes": "^2.1.4",
     "sqlite3": "^4.0.6",
     "swagger-ui-express": "^4.1.4",

src/app.js

@@ -3,8 +3,9 @@ const express = require('express');
 const app = express();
 
 const bodyParser = require('body-parser');
+const helmet = require('helmet');
 
-const jsonParser = bodyParser.json();
+const jsonParser = bodyParser.json({ limit: '2kb' });
 
 const swaggerUI = require('swagger-ui-express');
 const swaggerFile = require('./resources/api-v1-swagger.json');
@@ -20,6 +21,8 @@ module.exports = (db) => {
   const repository = new RideRepository(db, RideEntity, selectQuery, insertQuery);
   const controller = new RideController(repository);
 
+  app.use(helmet());
+
   app.get('/health', (req, res) => res.send('Healthy'));
 
   app.use('/api-documentation/v1', swaggerUI.serve, swaggerUI.setup(swaggerFile));

src/lib/logger.js

@@ -5,7 +5,7 @@ const {
 } = require('winston');
 const path = require('path');
 
-const LOGGING_LEVEL = 'error';
+const LOGGING_LEVEL = 'info';
 const logger = createLogger({
   level: LOGGING_LEVEL,
   format: format.combine(
@@ -18,12 +18,13 @@ const logger = createLogger({
   ),
   transports: [
     new transports.File({
+      level: LOGGING_LEVEL,
       filename: 'rider-api.log',
       handleExceptions: true,
       format: format.combine(
         format.colorize(),
         format.printf(
-          (info) => `${info.timestamp} ${LOGGING_LEVEL} [${info.label}]: ${info.message}`,
+          (info) => `${info.timestamp} ${info.level} [${info.label}]: ${info.message}`,
         ),
       ),
     }),

tests/api.test.js

@@ -111,6 +111,24 @@ describe('API tests', () => {
     });
 
     describe('GET /rides', () => {
+      it('should return a response with pre-set headers from helmet',
+          (done) => {
+            request(app).
+                get('/rides').
+                expect('Content-Type', /json/).
+                expect(200).
+                expect('X-DNS-Prefetch-Control', 'off').
+                expect('Expect-CT', 'max-age=0').
+                expect('X-Download-Options', 'noopen').
+                expect('X-Content-Type-Options', 'nosniff').
+                expect('X-XSS-Protection', '0').
+                expect('Content-Security-Policy', 'default-src' +
+                    ' \'self\';base-uri' +
+                    ' \'self\';block-all-mixed-content;font-src \'self\'' +
+                    ' https: data:;frame-ancestors \'self\';img-src \'self\' data:;object-src \'none\';script-src \'self\';script-src-attr \'none\';style-src \'self\' https: \'unsafe-inline\';upgrade-insecure-requests',
+                    done);
+          });
+
       it('should return exactly 10 rides given no limit query parameter',
           (done) => {
             const limit = 10;
@@ -223,6 +241,23 @@ describe('API tests', () => {
     });
 
     describe('GET /rides/${id}', () => {
+      it('should return a response with pre-set headers from helmet',
+          (done) => {
+            request(app).
+                get('/rides/2').
+                expect('Content-Type', /json/).
+                expect(200).
+                expect('X-DNS-Prefetch-Control', 'off').
+                expect('Expect-CT', 'max-age=0').
+                expect('X-Download-Options', 'noopen').
+                expect('X-Content-Type-Options', 'nosniff').
+                expect('X-XSS-Protection', '0').
+                expect('Content-Security-Policy', 'default-src' +
+                    ' \'self\';base-uri' +
+                    ' \'self\';block-all-mixed-content;font-src \'self\'' +
+                    ' https: data:;frame-ancestors \'self\';img-src \'self\' data:;object-src \'none\';script-src \'self\';script-src-attr \'none\';style-src \'self\' https: \'unsafe-inline\';upgrade-insecure-requests',
+                    done);
+          });
       it('should return ride id of 2', (done) => {
         request(app).
             get('/rides/2').
@@ -236,6 +271,26 @@ describe('API tests', () => {
     });
 
     describe('POST /rides', () => {
+      it('should return a response with pre-set headers from helmet',
+          (done) => {
+            const body = rideEntities[2];
+            request(app).
+                post('/rides').
+                send(body).
+                expect('Content-Type', /json/).
+                expect(200).
+                expect('X-DNS-Prefetch-Control', 'off').
+                expect('Expect-CT', 'max-age=0').
+                expect('X-Download-Options', 'noopen').
+                expect('X-Content-Type-Options', 'nosniff').
+                expect('X-XSS-Protection', '0').
+                expect('Content-Security-Policy', 'default-src' +
+                    ' \'self\';base-uri' +
+                    ' \'self\';block-all-mixed-content;font-src \'self\'' +
+                    ' https: data:;frame-ancestors \'self\';img-src \'self\' data:;object-src \'none\';script-src \'self\';script-src-attr \'none\';style-src \'self\' https: \'unsafe-inline\';upgrade-insecure-requests',
+                    done);
+          });
+
       it('should create a new ride', (done) => {
         const body = rideEntities[2];
         request(app).