dotenv.config({ path: '.env' });
const app: any = express();
app.disable('x-powered-by');
const helmet = require('helmet')
const originalSend: any = app.response.send;
app.response.send = function sendOverWrite(body: any) {
originalSend.call(this, body)
this.custombody = body
}
app.use(helmet())
app.use((req: Request, res: Response, next: NextFunction) =>{
console.log("x-frame")
res.setHeader('X-Frame-Options','DENY');
res.setHeader('Content-Security-Policy', "frame-ancestors 'none'");
next();
});
// cors
app.use(cors());
// Node.js body parsing middleware.
app.use(json());
app.use(urlencoded({ extended: true }));
// views
app.set('views', path.join(__dirname, '../src/views'));
app.set('view engine', 'jade');
// ** LOG handlers
app.use(successHandler);
app.use(errorHandler);
// route
const router = Router;
app.use('/api', router);
// 404
app.get('*', (req: Request, res: Response) => {
res.status(404).send({ message: 'Unauthorized!', status: false });
});
// ? Created one ASYNC function to manage system start after AWS load
(async (port = process.env.APP_PORT || 5000) => {
app.listen(port, () => console.log(> Listening on port ${port}));
})();
// ! error handler
app.use((err: any, req: Request, res: Response, next: NextFunction) => {
res.locals.errorMessage = err.message || "System Error";
res.locals.error = process.env.NODE_ENV === Environment.Development ? err.stack || err : {};
res.status(err.status || 500);
res.send("System Error, Please contact tech support!");
});
In this Server.ts file wanted enable header options 'Content-Security-Policy', "frame-ancestors 'none'" and 'X-Frame-Options','DENY' to avoid clickjacking.
below provided code, where I am checking Clickjacking
Clickjacking PoC