feat(express): make helmet headers configurable

this PR makes the sent security headers by hops via helmet
configurable, so that projects that use directly hops as a
"front-facing-server" can set their custom headers.

packages/express/README.md

@@ -35,6 +35,7 @@ You may use either `hops serve -p` or its equivalent `NODE_ENV=production hops s
 | `port` | `String` | `[PORT]` | _no_ | Specify the Port that Hops should listen on |
 | `distDir` | `String` | `'<rootDir>/dist'` | _no_ | The folder from which to serve static assets |
 | `gracePeriod` | `number` | `30000` | _no_ | Time to wait (in ms) until killing the server |
+| `helmetConfig` | `Object` | `{}` | _no_ | Headers to set or overwrite in helmet |
 
 ##### `https`
 
@@ -91,6 +92,10 @@ The amount of time (in milliseconds) to wait after receiving a [`SIGTERM`](https
 }
 ```
 
+##### `helmetConfig`
+
+The config to set security http headers via [helmet](https://helmetjs.github.io/).
+
 #### Render Options
 
 This preset has no runtime configuration options.

packages/express/mixins/mixin.core.js

@@ -37,9 +37,9 @@ class ExpressMixin extends Mixin {
     const express = require('express');
     const mime = require('mime');
     const cookieParser = require('cookie-parser');
-    const { distDir } = this.config;
+    const { distDir, helmetConfig = {} } = this.config;
     middlewares.preinitial.push(
-      helmet({ contentSecurityPolicy: false }),
+      helmet({ contentSecurityPolicy: false, ...helmetConfig }),
       cookieParser()
     );
     middlewares.files.push(

packages/express/preset.js

@@ -26,5 +26,8 @@ module.exports = {
     port: { oneOf: [{ type: 'string' }, { type: 'number' }] },
     distDir: { type: 'string', minLength: 1, absolutePath: true },
     gracePeriod: { type: 'number' },
+    helmetConfig: {
+      type: 'object',
+    },
   },
 };