Configure Essential HTTP Security Headers in Express.js

// Install: npm install express helmet
const express = require('express');
const helmet = require('helmet');

const app = express();

// Use Helmet middleware to set various security headers
app.use(helmet());

// Explicitly configure some headers for finer control or additional ones
app.use((req, res, next) => {
  // HSTS (HTTP Strict Transport Security) - enforce HTTPS
  // Max-Age should be high for production (e.g., 31536000 seconds = 1 year)
  res.setHeader('Strict-Transport-Security', 'max-age=31536000; includeSubDomains; preload');

  // X-Frame-Options - prevent clickjacking
  res.setHeader('X-Frame-Options', 'DENY');

  // X-Content-Type-Options - prevent MIME-sniffing attacks
  res.setHeader('X-Content-Type-Options', 'nosniff');

  // Referrer-Policy - control what referrer information is sent with requests
  res.setHeader('Referrer-Policy', 'no-referrer-when-downgrade');

  // Content-Security-Policy (CSP) - mitigate XSS and data injection
  // Configure carefully based on your application's needs
  res.setHeader(
        'Content-Security-Policy',
        "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; connect-src 'self';"
  );

  next();
});

app.get('/', (req, res) => {
  res.send('Hello, secure web!');
});

const PORT = 3000;
app.listen(PORT, () => console.log(`Server running with security headers on port ${PORT}`));