fix(api): set hemlet CSP based on isProduction

api/authentication/src/Server.integration.spec.ts

@@ -23,4 +23,30 @@ describe('Server', () => {
       status: 404
     });
   });
+
+  it('should not have CSP header', async () => {
+    const response = await request.get('/rest');
+
+    expect(response.headers['content-security-policy']).not.toBeDefined();
+  });
+});
+
+describe('Server - production', () => {
+  let request: SuperTest.SuperTest<SuperTest.Test>;
+
+  beforeEach(() => {
+    process.env.NODE_ENV = 'production';
+  });
+  beforeEach(TestMongooseContext.bootstrap(Server));
+  beforeEach(() => {
+    request = SuperTest(PlatformTest.callback());
+  });
+
+  afterEach(TestMongooseContext.reset);
+
+  it('should have CSP header', async () => {
+    const response = await request.get('/rest');
+
+    expect(response.headers['content-security-policy']).toBeDefined();
+  });
 });

api/authentication/src/Server.ts

@@ -1,12 +1,13 @@
 import { BaseServer, getServerDefaults } from '@hikers-book/tsed-common/server';
 import { getHelmetDirectives, getSwaggerConfig } from '@hikers-book/tsed-common/swagger';
 import '@tsed/ajv';
-import { Configuration } from '@tsed/di';
+import { Configuration, Inject } from '@tsed/di';
 import '@tsed/mongoose';
 import '@tsed/platform-express'; // /!\ keep this import
 import helmet from 'helmet';
 import { join } from 'path';
 import * as docs from './docs/controllers/pages/index';
+import { ConfigService } from './services';
 import * as v1 from './v1/controllers/index';
 
 @Configuration({
@@ -24,14 +25,19 @@ import * as v1 from './v1/controllers/index';
   }
 })
 export class Server extends BaseServer {
+  @Inject()
+  configService!: ConfigService;
+
   $beforeRoutesInit(): void {
     this.registerMiddlewares();
 
     this.app.use(
       helmet({
-        contentSecurityPolicy: {
-          directives: getHelmetDirectives()
-        }
+        contentSecurityPolicy: this.configService.isProduction
+          ? {
+              directives: getHelmetDirectives()
+            }
+          : false
       })
     );
   }

api/graphql/src/Server.ts

@@ -1,15 +1,19 @@
 import { BaseServer, getServerDefaults } from '@hikers-book/tsed-common/server';
 import '@tsed/ajv';
-import { Configuration } from '@tsed/di';
+import { Configuration, Inject } from '@tsed/di';
 import '@tsed/mongoose';
 import '@tsed/platform-express'; // /!\ keep this import
 import helmet from 'helmet';
+import { ConfigService } from './services';
 import './v1/GraphQLModule';
 
 @Configuration({
   ...getServerDefaults() // must be here because of tests
 })
 export class Server extends BaseServer {
+  @Inject()
+  configService!: ConfigService;
+
   $beforeRoutesInit(): void {
     this.registerMiddlewares();
 

api/stages/src/Server.integration.spec.ts

@@ -23,4 +23,30 @@ describe('Server', () => {
       status: 404
     });
   });
+
+  it('should not have CSP header', async () => {
+    const response = await request.get('/rest');
+
+    expect(response.headers['content-security-policy']).not.toBeDefined();
+  });
+});
+
+describe('Server - production', () => {
+  let request: SuperTest.SuperTest<SuperTest.Test>;
+
+  beforeEach(() => {
+    process.env.NODE_ENV = 'production';
+  });
+  beforeEach(TestMongooseContext.bootstrap(Server));
+  beforeEach(() => {
+    request = SuperTest(PlatformTest.callback());
+  });
+
+  afterEach(TestMongooseContext.reset);
+
+  it('should have CSP header', async () => {
+    const response = await request.get('/rest');
+
+    expect(response.headers['content-security-policy']).toBeDefined();
+  });
 });

api/stages/src/Server.ts

@@ -1,12 +1,13 @@
 import { BaseServer, getServerDefaults } from '@hikers-book/tsed-common/server';
 import { getHelmetDirectives, getSwaggerConfig } from '@hikers-book/tsed-common/swagger';
 import '@tsed/ajv';
-import { Configuration } from '@tsed/di';
+import { Configuration, Inject } from '@tsed/di';
 import '@tsed/mongoose';
 import '@tsed/platform-express'; // /!\ keep this import
 import helmet from 'helmet';
 import { join } from 'path';
 import * as docs from './docs/controllers/pages/index';
+import { ConfigService } from './services';
 import * as rest from './v1/controllers/index';
 
 @Configuration({
@@ -24,14 +25,19 @@ import * as rest from './v1/controllers/index';
   }
 })
 export class Server extends BaseServer {
+  @Inject()
+  configService!: ConfigService;
+
   $beforeRoutesInit(): void {
     this.registerMiddlewares();
 
     this.app.use(
       helmet({
-        contentSecurityPolicy: {
-          directives: getHelmetDirectives()
-        }
+        contentSecurityPolicy: this.configService.isProduction
+          ? {
+              directives: getHelmetDirectives()
+            }
+          : false
       })
     );
   }

api/trips/src/Server.integration.spec.ts

@@ -23,4 +23,30 @@ describe('Server', () => {
       status: 404
     });
   });
+
+  it('should not have CSP header', async () => {
+    const response = await request.get('/rest');
+
+    expect(response.headers['content-security-policy']).not.toBeDefined();
+  });
+});
+
+describe('Server - production', () => {
+  let request: SuperTest.SuperTest<SuperTest.Test>;
+
+  beforeEach(() => {
+    process.env.NODE_ENV = 'production';
+  });
+  beforeEach(TestMongooseContext.bootstrap(Server));
+  beforeEach(() => {
+    request = SuperTest(PlatformTest.callback());
+  });
+
+  afterEach(TestMongooseContext.reset);
+
+  it('should have CSP header', async () => {
+    const response = await request.get('/rest');
+
+    expect(response.headers['content-security-policy']).toBeDefined();
+  });
 });

api/trips/src/Server.ts

@@ -1,12 +1,13 @@
 import { BaseServer, getServerDefaults } from '@hikers-book/tsed-common/server';
 import { getHelmetDirectives, getSwaggerConfig } from '@hikers-book/tsed-common/swagger';
 import '@tsed/ajv';
-import { Configuration } from '@tsed/di';
+import { Configuration, Inject } from '@tsed/di';
 import '@tsed/mongoose';
 import '@tsed/platform-express'; // /!\ keep this import
 import helmet from 'helmet';
 import { join } from 'path';
 import * as docs from './docs/controllers/pages/index';
+import { ConfigService } from './services';
 import * as rest from './v1/controllers/index';
 
 @Configuration({
@@ -24,14 +25,19 @@ import * as rest from './v1/controllers/index';
   }
 })
 export class Server extends BaseServer {
+  @Inject()
+  configService!: ConfigService;
+
   $beforeRoutesInit(): void {
     this.registerMiddlewares();
 
     this.app.use(
       helmet({
-        contentSecurityPolicy: {
-          directives: getHelmetDirectives()
-        }
+        contentSecurityPolicy: this.configService.isProduction
+          ? {
+              directives: getHelmetDirectives()
+            }
+          : false
       })
     );
   }

packages/tsed-common/src/server/ConfigLoader.spec.ts

@@ -20,6 +20,7 @@ describe('ConfigLoder', () => {
     expect(loader.service).toEqual('test');
     expect(loader.port).toEqual(4000);
     expect(loader.api).toEqual({ service: 'test', version: expect.any(String) });
+    expect(loader.isProduction).toEqual(false);
     expect(loader.config).toEqual({ test: 'value' });
     expect(loader.server).toEqual({
       httpPort: 4000,
@@ -34,6 +35,13 @@ describe('ConfigLoder', () => {
     });
   });
 
+  it('should pass - isProduction', async () => {
+    const loader = new ConfigLoder('test', 4000, ConfigModel);
+    loader._envs.NODE_ENV = 'production';
+
+    expect(loader.isProduction).toEqual(true);
+  });
+
   it('should fail', async () => {
     const spy = jest.spyOn($log, 'error').mockImplementation();
 

packages/tsed-common/src/server/ConfigLoader.ts

@@ -39,6 +39,10 @@ export class ConfigLoder<T> {
     return Object.assign({}, this._envs);
   }
 
+  public get isProduction() {
+    return this.envs.NODE_ENV === 'production';
+  }
+
   public get server() {
     return Object.assign({}, this._server);
   }