diff --git a/express-api/src/middleware/headerHandler.ts b/express-api/src/middleware/headerHandler.ts
index 14944de13..6fdee69dc 100644
--- a/express-api/src/middleware/headerHandler.ts
+++ b/express-api/src/middleware/headerHandler.ts
@@ -1,7 +1,7 @@
import { NextFunction, Response } from 'express';
const headerHandler: unknown = (req: Request, res: Response, next: NextFunction) => {
- res.header('Access-Control-Allow-Origin', '*');
+ //res.header('Access-Control-Allow-Origin', '*');
res.header('Access-Control-Allow-Methods', 'GET,PUT,PATCH,POST,DELETE');
res.header('Access-Control-Allow-Headers', 'Content-Type, Accept, Authorization');
next();
diff --git a/express-api/tests/integration/middleware/headerHandler.test.ts b/express-api/tests/integration/middleware/headerHandler.test.ts
index 5d0310136..799f40a81 100644
--- a/express-api/tests/integration/middleware/headerHandler.test.ts
+++ b/express-api/tests/integration/middleware/headerHandler.test.ts
@@ -9,7 +9,6 @@ describe('INTEGRATION - headerHandler middleware', () => {
it('should set headers with expected values', async () => {
const response = await request.get('/v2/health');
// Remember to use lower case for header keys
- expect(response.header['access-control-allow-origin']).toBe('*');
expect(response.header['access-control-allow-methods']).toBe('GET,PUT,PATCH,POST,DELETE');
expect(response.header['access-control-allow-headers']).toBe(
'Content-Type, Accept, Authorization',
diff --git a/react-app/index.html b/react-app/index.html
index beccf76ef..51e58cd58 100644
--- a/react-app/index.html
+++ b/react-app/index.html
@@ -1,22 +1,28 @@
+
+
+
+ PIMS
+
+
+
-
-
-
- PIMS
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
diff --git a/react-app/nginx.conf b/react-app/nginx.conf
index e278bff0d..1b7e8839e 100644
--- a/react-app/nginx.conf
+++ b/react-app/nginx.conf
@@ -1,4 +1,26 @@
server {
+ # Enable HTTP Strict Transport Security (HSTS) to force clients to always
+ # connect via HTTPS (do not use if only testing)
+ add_header Strict-Transport-Security "max-age=31536000;";
+
+ # Enable cross-site filter (XSS) and tell browser to block detected attacks
+ add_header X-XSS-Protection "1; mode=block";
+
+ # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
+ add_header X-Content-Type-Options "nosniff";
+
+ # Disallow the site to be rendered within a frame (clickjacking protection)
+ add_header X-Frame-Options "DENY";
+
+ add_header Permissions-Policy "camera=(), microphone=(), geolocation=(), fullscreen=()";
+
+ # Turn off all caddy caching
+ add_header Cache-Control "no-cache,no-store,must-revalidate";
+ add_header Pragma "no-cache";
+
+ # Content Security Policy
+ add_header Content-Security-Policy "default-src 'none'; frame-src 'self' *.gov.bc.ca; script-src 'nonce-windowsp' 'self' *.gov.bc.ca https://unpkg.com; style-src 'self' 'unsafe-inline' https://unpkg.com https://cdnjs.cloudflare.com; font-src 'self' *.gov.bc.ca; img-src 'self' *.gov.bc.ca data: tile.openstreetmap.org https://maps.googleapis.com https://unpkg.com https://cdnjs.cloudflare.com https://openmaps.gov.bc.ca; connect-src 'self' *.gov.bc.ca https://openmaps.gov.bc.ca; manifest-src 'self';";
+
listen 3000;
location / {
root /usr/share/nginx/html;