It21306754

client/src/setupProxy.js

@@ -0,0 +1,15 @@
+const { createProxyMiddleware } = require('http-proxy-middleware');
+
+module.exports = function(app) {
+    app.use(
+        '/auth',  // Adjust this path based on your API endpoints
+        createProxyMiddleware({
+            target: 'http://localhost:5000',  // Your backend server URL
+            changeOrigin: true,
+            onProxyRes: function(proxyRes) {
+                // Remove the X-Powered-By header if it appears
+                delete proxyRes.headers['x-powered-by'];
+            }
+        })
+    );
+};

server/package.json

@@ -19,6 +19,8 @@
     "cors": "^2.8.5",
     "dotenv": "^16.3.1",
     "express": "^4.18.1",
+    "helmet": "^7.1.0",
+    "http-proxy-middleware": "^3.0.2",
     "mongoose": "^7.6.1",
     "readable-stream": "^4.4.2",
     "readdirp": "^3.6.0",

server/server.js

@@ -3,15 +3,55 @@ const http = require('http')
 const { Server } = require('socket.io')
 const cors = require("cors")
 const mongoose = require('mongoose');
+const helmet = require('helmet'); // Import helmet for security headers
 require('dotenv').config()
 const authRouts = require('./routes/authRouts')
 const codeRouts = require('./routes/codeRoutes')
+
+const session = require('express-session');
+const passport = require('passport');
+require('./passport'); // Import passport configuration
+
+// Disable the 'X-Powered-By' header (Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s))
+app.disable('x-powered-by');
+
 const app = express();
 
+// Disable the 'X-Powered-By' header (Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s))
+app.disable('x-powered-by');
+
+// Set up security headers with Helmet
+app.use(helmet());
+
+// Configure CSP
+app.use(helmet.contentSecurityPolicy({
+    directives: {
+        defaultSrc: ["'self'"],
+        scriptSrc: ["'self'"], 
+        styleSrc: ["'self'"],
+        imgSrc: ["'self'"],
+        connectSrc: ["'self'", "http://localhost:5000"], 
+    },
+}));
+
+// Set X-Frame-Options header to deny iframe embedding
+app.use(helmet.frameguard({ action: 'deny' }));
+
+// Log the CSP header for debugging
+app.use((req, res, next) => {
+    console.log('CSP Header:', res.getHeaders()['content-security-policy']);
+    next();
+});
 app.use(cors())
 
 app.use(express.json());
 
+// Setting security headers (X-Content-Type-Options Header Missing)
+app.use((req, res, next) => {
+  res.setHeader('X-Content-Type-Options', 'nosniff');
+  next();
+});
+
 app.use('/auth', authRouts);
 app.use('/code', codeRouts);
 
@@ -22,9 +62,6 @@ app.use((req, res, next) => {
 });
 
 
-
-
-
 //database 
 mongoose.connect(process.env.MANGOOSE_URI)
 .then(() => {