Add helmet and broader HTTP hardening middleware

[Oluwaseyi89]

Summary

Integrate the helmet middleware and implement comprehensive HTTP hardening in the backend service to enforce secure HTTP headers and protect against common web vulnerabilities, moving beyond basic CORS and Swagger-based protections.

Social Media Link

Let's collaborate on Discord. And ensure to star our repo.

Technical Context

• Motivation: The current backend setup relies primarily on CORS and Swagger configuration for HTTP security, leaving the service exposed to a range of well-known web attacks (e.g., XSS, clickjacking, MIME sniffing, information leakage). Adopting industry-standard HTTP hardening middleware like helmet ensures robust, default protections and simplifies future security audits.
• Current State: No global HTTP header hardening middleware is in place. Security headers are inconsistently set, and some attack surfaces (e.g., frame embedding, content sniffing, referrer policy) are not addressed.

Requirements

Backend Changes

• Integrate the helmet middleware at the NestJS application level.
• Enable and configure all relevant helmet protections, including:
  • Content-Security-Policy (CSP)
  • X-Frame-Options
  • X-Content-Type-Options
  • Strict-Transport-Security (HSTS)
  • Referrer-Policy
  • Cross-Origin-Resource-Policy
  • Cross-Origin-Opener-Policy
  • Cross-Origin-Embedder-Policy
  • X-DNS-Prefetch-Control
  • Expect-CT
  • Permissions-Policy
• Document and justify any disabled or custom-configured headers (e.g., for Swagger or specific endpoints).
• Ensure Swagger UI and CORS configuration remain functional and compatible with the new security headers.

Acceptance Criteria

• All HTTP responses from the backend include the expected security headers with production-safe values.
• Swagger UI and API documentation remain accessible and functional.
• Security header configuration is documented and reviewed.
• Automated tests or manual verification confirm the presence and correctness of headers.

Definition of Done

• PR with middleware integration, configuration, and documentation
• Security headers verified in staging/production environments
• Team review completed

Working Directory

corporate-platform/corporate-platform-backend

[nanaabdul1172]

@nanaabdul1172 has applied to work on this issue as part of the Stellar Wave Program's 5th wave.

Hi maintainer I believe I can handle this issue efficiently...

ℹ️ Repo Maintainers: To accept this application, review their application or assign @nanaabdul1172 to this issue.

[drips-wave]

Congratulations, @nanaabdul1172! 🎉 Your application was accepted by the repo's maintainers, and the issue is due on June 2, 2026.

🧑‍💻 @nanaabdul1172: Please resolve the issue such that the repo's maintainers have enough time to review your contribution before the due date. You'll earn Points for completing the issue on-time, which will make you eligible for a share of the Stellar Wave Program's reward pool.

Warning

When opening a PR, please link it to this issue to ensure it gets tracked accurately. Points are awarded when this issue is marked as completed by the maintainer.

🤠 Repo maintainers: Please keep an eye on the contributor's progress and review their work before the due date. You can manage this issue, including adjusting its complexity and points, here.

🌊 Happy Wave 🌊