From 8a597590954ba5265459ba8b1bbc17581a9c74f9 Mon Sep 17 00:00:00 2001
From: Jake Howard <git@theorangeone.net>
Date: Sat, 8 Jul 2017 12:14:12 +0100
Subject: [PATCH] harden server with helmet extensions

---
 src/server.ts        | 19 ++++++++++++++++++-
 src/types/fakes.d.ts |  2 ++
 2 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/src/server.ts b/src/server.ts
index ba17037..450af3b 100644
--- a/src/server.ts
+++ b/src/server.ts
@@ -4,6 +4,9 @@ import * as AccessControl from 'express-ip-access-control';
 import * as compression from 'compression';
 import * as helmet from 'helmet';
 import * as opbeat from 'opbeat';
+import * as expectCt from 'expect-ct';
+import * as referrerPolicy from 'referrer-policy';
+
 
 import logging from './middleware/logging';
 import basicAuthHandler from './middleware/basic-auth';
@@ -12,11 +15,25 @@ import handle404 from './middleware/404';
 
 import { Options } from './types';
 
+const PKG = require('../package.json');
+
 export default function createServer(opts : Options) : express.Application {
     const app = express();
 
-    app.disable('x-powered-by');
     app.use(helmet());
+    app.use(helmet.hidePoweredBy({setTo: `tstatic ${PKG.version}`}));
+    app.use(helmet.ieNoOpen());
+    app.use(helmet.noCache());
+    app.use(referrerPolicy({ policy: 'same-origin' }));
+    app.use(expectCt({
+        enforce: false,
+        maxAge: 1000
+    }));
+    app.use(helmet.hsts({
+        maxAge: 5184000,
+        setIf: (req, res) => req.secure,
+    }));
+
     if (process.env.NODE_ENV !== 'test') {
         app.use(logging);
     }
diff --git a/src/types/fakes.d.ts b/src/types/fakes.d.ts
index 4f0a349..593bcd0 100644
--- a/src/types/fakes.d.ts
+++ b/src/types/fakes.d.ts
@@ -10,3 +10,5 @@ declare module 'docopt';
 declare module 'open';
 declare module 'node-fetch';
 declare module 'chai';
+declare module 'expect-ct';
+declare module 'referrer-policy';