added helmet for better standard of protection across the board

install/package.json

@@ -43,6 +43,7 @@
         "express-session": "^1.15.6",
         "express-useragent": "1.0.8",
         "graceful-fs": "^4.1.11",
+        "helmet": "^3.11.0",
         "html-to-text": "3.3.0",
         "ipaddr.js": "^1.5.4",
         "jimp": "0.2.28",

src/middleware/headers.js

@@ -11,7 +11,6 @@ module.exports = function (middleware) {
 			'X-Frame-Options': meta.config['allow-from-uri'] ? 'ALLOW-FROM ' + encodeURI(meta.config['allow-from-uri']) : 'SAMEORIGIN',
 			'Access-Control-Allow-Methods': encodeURI(meta.config['access-control-allow-methods'] || ''),
 			'Access-Control-Allow-Headers': encodeURI(meta.config['access-control-allow-headers'] || ''),
-			'Referrer-Policy': 'strict-origin-when-cross-origin',	// consider using helmet?
 		};
 
 		if (meta.config['access-control-allow-origin']) {

src/webserver.js

@@ -17,6 +17,7 @@ var cookieParser = require('cookie-parser');
 var session = require('express-session');
 var useragent = require('express-useragent');
 var favicon = require('serve-favicon');
+var helmet = require('helmet');
 
 var db = require('./database');
 var file = require('./file');
@@ -171,6 +172,8 @@ function setupExpressApp(app, callback) {
 		saveUninitialized: true,
 	}));
 
+	app.use(helmet());
+	app.use(helmet.referrerPolicy({ policy: 'strict-origin-when-cross-origin' }));
 	app.use(middleware.addHeaders);
 	app.use(middleware.processRender);
 	auth.initialize(app, middleware);