Merge pull request #55 from AwespireTech/feat/fix-vulnerability

feat: modify response header of static web

apps/server/src/app/app.module.ts

@@ -27,6 +27,35 @@ import { IssuanceModule } from '../issuance/issuance.module';
           return [
             {
               rootPath: clientPath,
+              // set some response headers to improve security of the static web
+              serveStaticOptions: {
+                setHeaders(res) {
+                  // apply Content Security Policy (CSP) to mitigate some types of attacks,
+                  // such as cross-site scripting (XSS) and packet sniffing attacks.
+                  const cspHeader = `
+                    default-src 'self';
+                    img-src 'self';
+                    child-src 'none';
+                    script-src 'self' 'wasm-unsafe-eval';
+                    connect-src 'self' https://tw-did.github.io https://mainnet.infura.io;
+                    style-src 'self' https://fonts.googleapis.com;
+                    font-src 'self' https://fonts.gstatic.com;
+                    object-src 'self';
+                    base-uri 'self';
+                    form-action 'self';
+                    frame-ancestors 'self';
+                    frame-src 'self';
+                    upgrade-insecure-requests;
+                  `.replace(/\s{2,}/g, " ").trim()
+                  res.setHeader('Content-Security-Policy', cspHeader)
+                  // avoid click-jacking attacks
+                  res.setHeader('X-Frame-Options', 'DENY')
+                  // avoid MIME type sniffing
+                  res.setHeader('X-Content-Type-Options', 'nosniff')
+                  // deny requesting code from any other origin to access resources of the web
+                  res.removeHeader('access-control-allow-origin')
+                },
+              }
             },
           ];
         } else {