Skip to content

Adop 2703 cross origins policy header#1798

Open
NewmanJustice wants to merge 12 commits into
masterfrom
ADOP-2703-Cross-Origins-Policy-Header
Open

Adop 2703 cross origins policy header#1798
NewmanJustice wants to merge 12 commits into
masterfrom
ADOP-2703-Cross-Origins-Policy-Header

Conversation

@NewmanJustice

@NewmanJustice NewmanJustice commented Apr 27, 2026

Copy link
Copy Markdown
Contributor

Before creating a pull request make sure that:

  • commit messages are meaningful and follow good commit message guidelines
  • README and other documentation has been updated / added (if needed)
  • tests have been updated / new tests has been added (if needed)
  • SonarCloud has been reviewed

Change description

Fixes recurring ZAP security scan failures (rule 90004) where the Cross-Origin-Resource-Policy (CORP)
header was missing from /robots.txt and /sitemap.xml responses.

Root cause: The route handlers for /robots.txt and /sitemap.xml were registered in server.ts before the
Helmet middleware was initialised, so security headers were never applied to those responses.

Changes:

  • src/main/server.ts — Moved /robots.txt and /sitemap.xml route handlers to after Helmet middleware
    initialisation so CORP and all other security headers are applied.
  • src/main/modules/helmet/index.ts — Upgraded Helmet from ^4.6.0 to ^8.0.0; updated import to ESM-style
    and tightened TypeScript types for referrerPolicy and crossOriginResourcePolicy.
  • audit.json — Removed now-redundant ZAP suppressions for X-Content-Type-Options, HSTS and CSP on
    /robots.txt and /sitemap.xml.
  • Jenkinsfile_CNP / Jenkinsfile_nightly — Added clarifying comments documenting ZAP scan targets
    (preview vs AAT).
  • Applied prettier formatting fixes to pass CI lint check.

JIRA link

[ADOP-2703]

Does this PR introduce a breaking change? (check one with "x")

  • Yes
  • No

NewmanJustice and others added 5 commits March 31, 2026 14:06
@NewmanJustice
Uncommented draft store
9b12f7b
@NewmanJustice @claude
fix(ADOP-2703): fix CORP header on /robots.txt and /sitemap.xml, upgr…
d62b0e2 
…ade helmet to v8

- Move /robots.txt and /sitemap.xml route handlers in server.ts to after
  Helmet middleware init, so CORP and all other security headers are applied
  to those responses (root cause of ZAP 90004 nightly failures)
- Upgrade helmet from ^4.6.0 to ^8.0.0; update import to ESM-style and
  tighten TypeScript types in helmet/index.ts
- Remove now-redundant audit.json suppressions for X-Content-Type-Options,
  HSTS and CSP on /robots.txt and /sitemap.xml (Helmet now covers these)
- Add clarifying comments to Jenkinsfile_CNP and Jenkinsfile_nightly
  documenting ZAP scan targets (preview vs AAT) — closes OQ1 from spec

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@NewmanJustice
fix: apply prettier formatting fixes to pass lint
398b8e7 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@NewmanJustice
fix: update ACR references from hmctspublic to hmctsprod
05e9402 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@NewmanJustice
chore: regenerate yarn-audit-known-issues with latest vulnerabilities
f8b5dfb 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
NewmanJustice and others added 5 commits June 3, 2026 15:32
@NewmanJustice
Merge branch 'master' into ADOP-2703-Cross-Origins-Policy-Header
b50306b
@NewmanJustice
Fix lockfile mismatch after merge
4976c87
@NewmanJustice
chore: retrigger CI
08ee55e 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@NewmanJustice
fix: correct helmet@8.1.0 checksum in yarn.lock
a7f870c 
The checksum stored for helmet@npm:8.1.0 did not match the actual
package archive on npm. In CI (no local cache), yarn install was
downloading the package fresh, detecting the mismatch, and failing —
leaving no .yarn/install-state.gz. This caused all subsequent yarn
tasks (build, lint) to fail with 'Couldn't find the node_modules
state file'.

Regenerated the correct checksum by clearing the local cache and
re-running yarn install.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@NewmanJustice
fix: regenerate yarn-audit-known-issues in Yarn 4 format
f588164 
The CI audit script (yarn-audit-with-suppressions.sh) expected the
suppressions file to be in Yarn 4 JSON-lines format but found a Yarn 3
single-object format entry, causing the check to fail with:
  'Invalid or unexpected yarn-audit-known-issues-formatted structure'

Regenerated using:
  yarn npm audit --recursive --environment production --json > yarn-audit-known-issues

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@hmcts-jenkins-a-to-c hmcts-jenkins-a-to-c Bot requested a deployment to preview June 5, 2026 14:45 Abandoned
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

ns:adoption prd:adoption rel:adoption-web-pr-1798

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@NewmanJustice