feat: Add helmet and force SSL

app.js

@@ -5,6 +5,7 @@ const cookieParser = require('cookie-parser')
 const express = require('express')
 const logger = require('morgan')
 const querystring = require('querystring')
+const helmet = require('helmet')
 
 // Load environment variables using dotenv
 require('dotenv').config({ path: 'variables.env' })
@@ -24,12 +25,22 @@ app.set('views', path.join(__dirname, 'views'))
 app.set('view engine', 'pug')
 
 app.use(logger('dev'))
+app.use(helmet())
 app.use(bodyParser.json())
 app.use(bodyParser.urlencoded({ extended: false }))
 app.use(cookieParser())
 app.use(express.static(path.join(__dirname, 'public')))
 app.use(breadcrumb())
 
+// Force all requests on production to be served over https
+app.use(function (req, res, next) {
+  if (!req.secure && process.env.NODE_ENV === 'production') {
+    var secureUrl = 'https://' + req.headers['host'] + req.url
+    res.writeHead(301, { 'Location': secureUrl })
+    res.end()
+  }
+  next()
+})
 // Set our application state based on environment variables or query parameters
 app.use(async function (request, response, next) {
   // Set default settings based on environment variables

package.json

@@ -4,7 +4,8 @@
   "private": true,
   "scripts": {
     "start:watch": "nodemon ./bin/www --ignore public/",
-    "start": "node ./bin/www",
+    "start:dev": "node ./bin/www",
+    "start:production": "NODE_ENV=production node ./bin/www",
     "lint": "eslint ./app.js routes",
     "format": "eslint --fix . bin --ignore public node_modules",
     "test": "echo 'test'",
@@ -22,6 +23,7 @@
     "cookie-parser": "~1.4.3",
     "dotenv": "^4.0.0",
     "express": "~4.14.0",
+    "helmet": "^3.9.0",
     "marked": "^0.3.6",
     "morgan": "~1.7.0",
     "pug": "~2.0.0-beta6"