As Norman, a Lead Engineer at TrackIt I want to use best practice npm packages like Helmet with my APIs so that I can get a level of safety and security by default.
As Jenny, the CTO of TrackIt I lose sleep over the idea of things like data breaches because in some cases I would be legally accountable so I want all our services and applications to be as secure as possible.
As Joe, a fitness fanatic I want to know that all my data is secure because bad people having access to the type, time and location of my fitness activities is a scary idea - I wouldn’t want to use an app that doesn’t look after my data.
Acceptance Criteria:
Given I am a developer who clones down the Activity API repo,
When I look at the top level app file,
Then I should see Helmet configured as one of the first pieces of middleware.
Given I am a developer who makes a request to the Activity API,
When I inspect the response headers,
Then I should not be able to see the response header “X-Powered-By: Express”.
### Tasks for User Story 2
- [x] Install Helmet via npm if it's not already installed.
- [x] Run npm install helmet.
- [x] Require Helmet in the application file.
- [x] Import helmet at the top of the file.
- [x] Configure Helmet as one of the first pieces of middleware.
- [x] Add app.use(helmet()); before any other middleware or routes are configured.
- [x] Remove the "X-Powered-By: Express" header from the response.
- [x] Add app.disable('x-powered-by'); in the application file.
- [x] Test if all criterias are met.
faisalagood
commented
3 months ago
Description:
As Norman, a Lead Engineer at TrackIt I want to use best practice npm packages like Helmet with my APIs so that I can get a level of safety and security by default.
As Jenny, the CTO of TrackIt I lose sleep over the idea of things like data breaches because in some cases I would be legally accountable so I want all our services and applications to be as secure as possible.
As Joe, a fitness fanatic I want to know that all my data is secure because bad people having access to the type, time and location of my fitness activities is a scary idea - I wouldn’t want to use an app that doesn’t look after my data.
Acceptance Criteria:
Given I am a developer who clones down the Activity API repo, When I look at the top level app file, Then I should see Helmet configured as one of the first pieces of middleware.
Given I am a developer who makes a request to the Activity API, When I inspect the response headers, Then I should not be able to see the response header “X-Powered-By: Express”.