From b072ca9b3d21a3b2311545ac89179192c940e56a Mon Sep 17 00:00:00 2001
From: baozhoutao <baozhoutao@hotoa.com>
Date: Sun, 29 Sep 2024 15:25:56 +0800
Subject: [PATCH] =?UTF-8?q?[Feature]:=20=E4=BD=BF=E7=94=A8helmet=E4=B8=AD?=
 =?UTF-8?q?=E9=97=B4=E4=BB=B6=E8=87=AA=E5=AE=9A=E4=B9=89http=E5=AE=89?=
 =?UTF-8?q?=E5=85=A8=E7=AD=96=E7=95=A5=20#7020?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 services/service-steedos-server/index.js     | 11 +++++++++++
 services/service-steedos-server/package.json |  1 +
 yarn.lock                                    |  5 +++++
 3 files changed, 17 insertions(+)

diff --git a/services/service-steedos-server/index.js b/services/service-steedos-server/index.js
index e37d8b34e5..5b365a2d55 100644
--- a/services/service-steedos-server/index.js
+++ b/services/service-steedos-server/index.js
@@ -10,6 +10,8 @@ const express = require('express');
 const validator = require('validator');
 const core = require('@steedos/core');
 
+const helmet = require('helmet');
+
 /**
  * @typedef {import('moleculer').Context} Context Moleculer's Context
  */
@@ -226,6 +228,15 @@ module.exports = {
 						});
 					}
 
+					if(process.env.STEEDOS_HTTP_ENABLED_HELMET===true || process.env.STEEDOS_HTTP_ENABLED_HELMET=='true'){
+						
+						const steedosConfig = objectql.getSteedosConfig();
+
+						const helmetConfig = steedosConfig.helmet;
+
+						WebApp.connectHandlers.use(helmet(helmetConfig))
+					}
+
 					WebApp.connectHandlers.use(connectHandlersExpress)
 					const steedosSchema = require('@steedos/objectql').getSteedosSchema(this.broker);
 					this.wrapAsync(this.startStandardObjectsPackageLoader, {});
diff --git a/services/service-steedos-server/package.json b/services/service-steedos-server/package.json
index b6fb8889a9..f576e5d39f 100644
--- a/services/service-steedos-server/package.json
+++ b/services/service-steedos-server/package.json
@@ -34,6 +34,7 @@
     "@steedos/webapp-public": "2.6.29",
     "@steedos/workflow": "2.6.29",
     "dotenv-flow": "^3.2.0",
+    "helmet": "6.2.0",
     "moleculer": "^0.14.25",
     "moleculer-db": "^0.8.4",
     "moleculer-web": "^0.10.4",
diff --git a/yarn.lock b/yarn.lock
index 4fd2549a06..238a0eb122 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -9911,6 +9911,11 @@ header-case@^1.0.0:
     no-case "^2.2.0"
     upper-case "^1.1.3"
 
+helmet@6.2.0:
+  version "6.2.0"
+  resolved "https://registry.npmmirror.com/helmet/-/helmet-6.2.0.tgz#c29d62014be4c70b8ef092c9c5e54c8c26b8e16e"
+  integrity sha512-DWlwuXLLqbrIOltR6tFQXShj/+7Cyp0gLi6uAb8qMdFh/YBBFbKSgQ6nbXmScYd8emMctuthmgIa7tUfo9Rtyg==
+
 hexoid@1.0.0:
   version "1.0.0"
   resolved "https://registry.yarnpkg.com/hexoid/-/hexoid-1.0.0.tgz#ad10c6573fb907de23d9ec63a711267d9dc9bc18"