feat: add security headers config

Author: emmanuelgautier

README.md

@@ -101,6 +101,7 @@ All CLI flags can be set via environment variables instead:
 | `STUBIDP_REGISTRATION_INITIAL_ACCESS_TOKEN` | —                                 | Bearer token required to call `POST /register` (open registration when omitted)                     |
 | `STUBIDP_TRUST_PROXY`                       | `false`                           | Trust reverse proxy headers (`X-Forwarded-*`). Enable when running behind a proxy                   |
 | `STUBIDP_HTTPS_REDIRECT`                    | `false`                           | Redirect HTTP requests to HTTPS and set CSP `upgrade-insecure-requests`                             |
+| `STUBIDP_SECURITY_HEADERS`                  | `false`                           | Enable security headers (CSP, HSTS, etc.) via helmet. Enable when deployed, not for local dev       |
 
 ## Dynamic Client Registration
 

bin/run.js

@@ -111,6 +111,7 @@ const app = await createApp({
   defaultUser,
   trustProxy: argv['trust-proxy'],
   httpsRedirect: argv['https-redirect'],
+  securityHeaders: argv['security-headers'],
   rateLimit: {
     windowMs: argv['rate-limit-window-ms'],
     max: argv['rate-limit-max'],

docs/configuration.mdx

@@ -24,6 +24,7 @@ import { Aside } from '@/components/docs'
 | `--registration-initial-access-token` | No       | Bearer token required to call `POST /register`. Omit for open registration.                                              |
 | `--trust-proxy`                       | No       | Trust reverse proxy headers (`X-Forwarded-*`). Enable when running behind a reverse proxy or load balancer.              |
 | `--https-redirect`                    | No       | Redirect HTTP requests to HTTPS and enable CSP `upgrade-insecure-requests`. Enable in production behind TLS termination. |
+| `--security-headers`                  | No       | Enable security headers (CSP, HSTS, etc.) via helmet. Enable when deployed; omit for local development.                  |
 
 When `--client-id` or `--client-secret` are omitted, the generated values are printed in the startup table so you can copy them into your application config.
 
@@ -58,6 +59,7 @@ Every CLI flag can also be set via an environment variable (see below). Environm
 | `STUBIDP_RATE_LIMIT_DISABLED`  | `false`  | Set to `true` to disable rate limiting (equivalent to `--rate-limit-disabled`)                                        |
 | `STUBIDP_TRUST_PROXY`          | `false`  | Set to `true` to trust reverse proxy headers (`X-Forwarded-*`) (equivalent to `--trust-proxy`)                        |
 | `STUBIDP_HTTPS_REDIRECT`       | `false`  | Set to `true` to redirect HTTP to HTTPS and enable CSP `upgrade-insecure-requests` (equivalent to `--https-redirect`) |
+| `STUBIDP_SECURITY_HEADERS`     | `false`  | Set to `true` to enable security headers (CSP, HSTS, etc.) via helmet (equivalent to `--security-headers`)            |
 
 ## Database
 

src/args.ts

@@ -89,6 +89,13 @@ export const argv = yargs(hideBin(process.argv))
       description:
         'Redirect HTTP requests to HTTPS and set CSP upgrade-insecure-requests [env: STUBIDP_HTTPS_REDIRECT]',
     },
+    'security-headers': {
+      type: 'boolean',
+      demandOption: false,
+      env: 'STUBIDP_SECURITY_HEADERS',
+      description:
+        'Enable security headers (CSP, HSTS, etc.) via helmet. Enable when deployed [env: STUBIDP_SECURITY_HEADERS]',
+    },
   })
   .env('STUBIDP')
   .parseSync()

src/server.ts

@@ -19,26 +19,29 @@ export interface AppOptions extends ProviderOptions {
   skipPrompt?: boolean
   trustProxy?: boolean
   httpsRedirect?: boolean
+  securityHeaders?: boolean
 }
 
 export async function createApp(options: AppOptions): Promise<Express> {
   const app: Express = express()
   const oidc: Provider = await createProvider(options)
 
-  const directives = helmet.contentSecurityPolicy.getDefaultDirectives()
-  delete directives['form-action']
-  delete directives['upgrade-insecure-requests']
-  if (options.httpsRedirect) {
-    directives['upgrade-insecure-requests'] = []
+  if (options.securityHeaders) {
+    const directives = helmet.contentSecurityPolicy.getDefaultDirectives()
+    delete directives['form-action']
+    delete directives['upgrade-insecure-requests']
+    if (options.httpsRedirect) {
+      directives['upgrade-insecure-requests'] = []
+    }
+    app.use(
+      helmet({
+        contentSecurityPolicy: {
+          useDefaults: false,
+          directives,
+        },
+      }),
+    )
   }
-  app.use(
-    helmet({
-      contentSecurityPolicy: {
-        useDefaults: false,
-        directives,
-      },
-    }),
-  )
 
   const rl = options.rateLimit ?? {}
   if (!rl.disabled) {

src/worker.ts

@@ -33,6 +33,7 @@ async function ensureApp(currentEnv: Env): Promise<Express> {
     issuer: currentEnv.STUBIDP_ISSUER,
     trustProxy: currentEnv.STUBIDP_TRUST_PROXY === 'true',
     httpsRedirect: currentEnv.STUBIDP_HTTPS_REDIRECT === 'true',
+    securityHeaders: true,
   })
 
   cachedEntry = { key, app }