Skip to content

Commit

Permalink
feat(core): Setup helmet.js for setting security headers
Browse files Browse the repository at this point in the history
  • Loading branch information
netroy committed Apr 3, 2024
1 parent fe33e3e commit bdc1a34
Show file tree
Hide file tree
Showing 4 changed files with 28 additions and 3 deletions.
1 change: 1 addition & 0 deletions packages/cli/package.json
Original file line number Diff line number Diff line change
Expand Up @@ -130,6 +130,7 @@
"formidable": "3.5.1",
"google-timezones-json": "1.1.0",
"handlebars": "4.7.8",
"helmet": "7.1.0",
"infisical-node": "1.3.0",
"inquirer": "7.3.3",
"ioredis": "5.3.2",
Expand Down
3 changes: 1 addition & 2 deletions packages/cli/src/AbstractServer.ts
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ export abstract class AbstractServer {

protected externalHooks: ExternalHooks;

protected protocol: string;
protected protocol = config.getEnv('protocol');

protected sslKey: string;

Expand Down Expand Up @@ -65,7 +65,6 @@ export abstract class AbstractServer {
const proxyHops = config.getEnv('proxy_hops');
if (proxyHops > 0) this.app.set('trust proxy', proxyHops);

this.protocol = config.getEnv('protocol');
this.sslKey = config.getEnv('ssl_key');
this.sslCert = config.getEnv('ssl_cert');

Expand Down
19 changes: 18 additions & 1 deletion packages/cli/src/Server.ts
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ import { access as fsAccess } from 'fs/promises';
import { promisify } from 'util';
import cookieParser from 'cookie-parser';
import express from 'express';
import helmet from 'helmet';
import { engine as expressHandlebars } from 'express-handlebars';
import { type Class, InstanceSettings } from 'n8n-core';
import type { IN8nUISettings } from 'n8n-workflow';
Expand Down Expand Up @@ -366,6 +367,20 @@ export class Server extends AbstractServer {
this.app.use('/icons/@:scope/:packageName/*/*.(svg|png)', serveIcons);
this.app.use('/icons/:packageName/*/*.(svg|png)', serveIcons);

const isTLSEnabled = this.protocol === 'https' && !!(this.sslKey && this.sslCert);
const securityHeadersMiddleware = helmet({
contentSecurityPolicy: false,
xFrameOptions: { action: 'sameorigin' },
dnsPrefetchControl: false,
// This is only relevant for Internet-explorer, which we do not support
ieNoOpen: false,
// This is already disabled in AbstractServer
xPoweredBy: false,
// Enable HSTS headers only when n8n handles TLS.
// if n8n is behind a reverse-proxy, then these headers needs to be configured there
strictTransportSecurity: isTLSEnabled,
});

// Route all UI urls to index.html to support history-api
const nonUIRoutes: Readonly<string[]> = [
'assets',
Expand All @@ -390,7 +405,9 @@ export class Server extends AbstractServer {
) {
req.url = '/index.html';
res.setHeader('Cache-Control', 'no-cache, no-store, must-revalidate');
res.sendFile('index.html', { root: staticCacheDir, maxAge, lastModified: true });
securityHeadersMiddleware(req, res, () => {
res.sendFile('index.html', { root: staticCacheDir, maxAge, lastModified: true });
});
} else {
next();
}
Expand Down
8 changes: 8 additions & 0 deletions pnpm-lock.yaml

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

0 comments on commit bdc1a34

Please sign in to comment.