DevRocket
Security

Security Headers

Security headers help protect your NestJS application from common vulnerabilities such as cross-site scripting (XSS), clickjacking, and other attacks. This guide shows how to add recommended security headers to your NestJS app.

Step 1: Why Use Security Headers?

Security headers enhance the protection of your web application by:

  • Enforcing HTTPS connections.
  • Preventing your app from being embedded in iframes.
  • Ensuring proper MIME type handling.
  • Controlling referrer information.

Step 2: Install Helmet Middleware

Helmet is a popular middleware for setting security headers in Node.js applications.

  1. Install Helmet:

    cd backend
npm install helmet

  2. Enable Helmet in your NestJS application by modifying main.ts:

    import { NestFactory } from '@nestjs/core';
import { AppModule } from './app.module';
import helmet from 'helmet';
 
async function bootstrap() {
  const app = await NestFactory.create(AppModule);
 
  // Enable Helmet middleware
  app.use(helmet());
 
  await app.listen(3000);
}
bootstrap();

Step 3: Add Custom Security Headers

Helmet allows you to configure custom security headers. Update main.ts to include the following configuration:

import { NestFactory } from '@nestjs/core';
import { AppModule } from './app.module';
import helmet from 'helmet';
 
async function bootstrap() {
  const app = await NestFactory.create(AppModule);
 
  // Enable Helmet middleware with custom headers
  app.use(
    helmet({
      contentSecurityPolicy: false, // Disable CSP if not configured
    }),
  );
 
  // Add additional security headers
  app.use((req, res, next) => {
    res.setHeader('Strict-Transport-Security', 'max-age=31536000; includeSubDomains; preload');
    res.setHeader('X-Frame-Options', 'DENY');
    res.setHeader('X-Content-Type-Options', 'nosniff');
    res.setHeader('Referrer-Policy', 'strict-origin-when-cross-origin');
    next();
  });
 
  await app.listen(3000);
}
bootstrap();

Step 4: Explanation of Headers

  1. Strict-Transport-Security (HSTS):

    • Forces all connections to use HTTPS.
    • Configuration: 
      max-age=31536000; includeSubDomains; preload
      • max-age=31536000: Enforce HTTPS for 1 year.
      • includeSubDomains: Apply this rule to all subdomains.
      • preload: Adds the domain to the HSTS preload list.

  2. X-Frame-Options:

    • Prevents the site from being embedded in iframes.
    • Value: DENY.

  3. X-Content-Type-Options:

    • Prevents browsers from interpreting files as a different MIME type.
    • Value: nosniff.

  4. Referrer-Policy:

    • Controls the information sent in the Referer header.
    • Value: strict-origin-when-cross-origin.

Step 5: Test Your Headers

  1. Run Your App: Start the NestJS application:

    npm run start:dev

  2. Inspect the Headers: Use browser developer tools or tools like Postman to verify that the headers are applied.

Congratulations!

You’ve successfully added security headers to your NestJS application, enhancing its security against various attacks. 🎉

Previous

Schema Validation

Next

Sending Limit in Mailgun

On this page