Harden the response surface with Helmet and a tuned CSP
Description
The security headers in src/index.ts are hand-set (X-Content-Type-Options, X-Frame-Options, HSTS, Referrer-Policy, Permissions-Policy) with a comment noting this is the "same shape Helmet would produce but without the dependency footprint... before deciding on a full Helmet/CSP policy." There is no Content-Security-Policy and no coverage of the full header set Helmet maintains. This issue adopts Helmet and adds a CSP.
Requirements and context
- Repository scope:
Agentpay-Org/Agentpay-backend only.
- Replace the manual header middleware with
helmet(), configured to preserve the current HSTS and frame-deny policy.
- Add a
Content-Security-Policy appropriate for a JSON API (default-src 'none', frame-ancestors 'none').
- Keep the
Permissions-Policy restrictions currently in place.
- Verify Helmet does not interfere with the metrics text exposition or CSV/JSON downloads.
Suggested execution
- Fork the repo and create a branch
git checkout -b security/security-20-helmet-csp- Implement changes
- Write code in: the security-header middleware in
src/index.ts.
- Write comprehensive tests in: new
src/security-headers.test.ts — assert the expected headers and CSP are present.
- Add documentation: note the Helmet/CSP policy in
README.md.
- Add a clarifying TSDoc comment on the configuration.
- Validate security assumptions: CSP blocks inline/eval, HSTS preserved.
- Test and commit
Test and commit
- Run
npm run build, npm test, and npm run lint.
- Cover edge cases: headers on JSON, CSV, and metrics responses.
- Include the full
npm test output in the PR description.
Example commit message
security: adopt helmet with a tuned content-security-policy
Guidelines
- Minimum 95 percent test coverage for impacted modules.
- Clear, reviewer-focused documentation.
- Timeframe: 96 hours.
Community & contribution rewards
- 💬 Join the AgentPay community on Discord for questions, reviews, and faster merges: https://discord.gg/eXvRKkgcv
- ⭐ This is a GrantFox OSS / Official Campaign task and may be rewarded. When your PR is merged you'll be prompted to rate the project — if this issue and the maintainers helped you ship, we'd be grateful for a 5-star rating. Clear questions in Discord and tidy, well-tested PRs are the fastest path to a merge and a reward.
Harden the response surface with Helmet and a tuned CSP
Description
The security headers in
src/index.tsare hand-set (X-Content-Type-Options,X-Frame-Options, HSTS,Referrer-Policy,Permissions-Policy) with a comment noting this is the "same shape Helmet would produce but without the dependency footprint... before deciding on a full Helmet/CSP policy." There is no Content-Security-Policy and no coverage of the full header set Helmet maintains. This issue adopts Helmet and adds a CSP.Requirements and context
Agentpay-Org/Agentpay-backendonly.helmet(), configured to preserve the current HSTS and frame-deny policy.Content-Security-Policyappropriate for a JSON API (default-src 'none', frame-ancestors 'none').Permissions-Policyrestrictions currently in place.Suggested execution
git checkout -b security/security-20-helmet-cspsrc/index.ts.src/security-headers.test.ts— assert the expected headers and CSP are present.README.md.Test and commit
npm run build,npm test, andnpm run lint.npm testoutput in the PR description.Example commit message
security: adopt helmet with a tuned content-security-policyGuidelines
Community & contribution rewards