[Feature]: 使用helmet中间件自定义http安全策略 #7020

services/service-steedos-server/index.js

@@ -10,6 +10,8 @@ const express = require('express');
 const validator = require('validator');
 const core = require('@steedos/core');
 
+const helmet = require('helmet');
+
 /**
  * @typedef {import('moleculer').Context} Context Moleculer's Context
  */
@@ -226,6 +228,15 @@ module.exports = {
 						});
 					}
 
+					if(process.env.STEEDOS_HTTP_ENABLED_HELMET===true || process.env.STEEDOS_HTTP_ENABLED_HELMET=='true'){
+
+						const steedosConfig = objectql.getSteedosConfig();
+
+						const helmetConfig = steedosConfig.helmet;
+
+						WebApp.connectHandlers.use(helmet(helmetConfig))
+					}
+
 					WebApp.connectHandlers.use(connectHandlersExpress)
 					const steedosSchema = require('@steedos/objectql').getSteedosSchema(this.broker);
 					this.wrapAsync(this.startStandardObjectsPackageLoader, {});

services/service-steedos-server/package.json

@@ -34,6 +34,7 @@
     "@steedos/webapp-public": "2.6.29",
     "@steedos/workflow": "2.6.29",
     "dotenv-flow": "^3.2.0",
+    "helmet": "6.2.0",
     "moleculer": "^0.14.25",
     "moleculer-db": "^0.8.4",
     "moleculer-web": "^0.10.4",

yarn.lock

@@ -9911,6 +9911,11 @@ header-case@^1.0.0:
     no-case "^2.2.0"
     upper-case "^1.1.3"
 
+helmet@6.2.0:
+  version "6.2.0"
+  resolved "https://registry.npmmirror.com/helmet/-/helmet-6.2.0.tgz#c29d62014be4c70b8ef092c9c5e54c8c26b8e16e"
+  integrity sha512-DWlwuXLLqbrIOltR6tFQXShj/+7Cyp0gLi6uAb8qMdFh/YBBFbKSgQ6nbXmScYd8emMctuthmgIa7tUfo9Rtyg==
+
 hexoid@1.0.0:
   version "1.0.0"
   resolved "https://registry.yarnpkg.com/hexoid/-/hexoid-1.0.0.tgz#ad10c6573fb907de23d9ec63a711267d9dc9bc18"