cors, csurf, hpp!

package.json

@@ -25,11 +25,14 @@
     "compression": "^1.7.2",
     "connect-datadog": "^0.0.6",
     "cookie-parser": "^1.4.3",
+    "cors": "^2.8.5",
+    "csurf": "^1.10.0",
     "express": "^4.16.2",
     "express-rate-limit": "^3.5.1",
     "fs-extra": "^7.0.1",
     "helmet": "^3.18.0",
     "hot-shots": "^4.7.0",
+    "hpp": "^0.2.2",
     "http-status-codes": "^1.3.0",
     "supertest": "^3.0.0",
     "tslib": "^1.9.3"
@@ -41,10 +44,13 @@
     "@types/chai-subset": "1.3.1",
     "@types/compression": "0.0.35",
     "@types/cookie-parser": "1.4.1",
+    "@types/cors": "2.8.5",
+    "@types/csurf": "1.9.35",
     "@types/express": "4.11.1",
     "@types/express-rate-limit": "3.3.0",
     "@types/fs-extra": "5.0.0",
     "@types/helmet": "0.0.43",
+    "@types/hpp": "0.2.1",
     "@types/mocha": "5.2.5",
     "@types/sinon-chai": "3.2.2",
     "@types/supertest": "2.0.4",

service/server/ExpressServer.ts

@@ -4,6 +4,8 @@ import { Server } from 'http'
 import * as fse from 'fs-extra'
 import * as compress from 'compression'
 import * as helmet from 'helmet'
+import * as hpp from 'hpp'
+import * as cors from 'cors'
 import * as bodyParser from 'body-parser'
 import * as cookieParser from 'cookie-parser'
 import * as RateLimit from 'express-rate-limit'
@@ -30,14 +32,15 @@ export class ExpressServer {
 
     public async setup(port: number) {
         const server = express()
-        this.setupSecurityMiddlewares(server)
         this.setupStandardMiddlewares(server)
+        this.setupSecurityMiddlewares(server)
         this.applyWebpackDevMiddleware(server)
         this.setupTelemetry(server)
         this.setupServiceDependencies(server)
         this.configureEjsTemplates(server)
         this.configureFrontendPages(server)
         this.configureApiEndpoints(server)
+        this.configureFrontendEndpoints(server)
 
         this.httpServer = this.listen(server, port)
         this.server = server
@@ -53,6 +56,7 @@ export class ExpressServer {
     }
 
     private setupSecurityMiddlewares(server: Express) {
+        server.use(hpp())
         server.use(helmet())
         server.use(helmet.referrerPolicy({ policy: 'same-origin' }))
         server.use(helmet.noCache())
@@ -162,4 +166,10 @@ export class ExpressServer {
         server.get('/api/statistics/cat', noCache, strictRateLimit, this.catEndpoints.getCatsStatistics)
         server.get('/api/cat/:catId', noCache, this.catEndpoints.getCatDetails)
     }
+
+    private configureFrontendEndpoints(server: Express) {
+        const forbidExternalFrontends = cors({ origin: false })
+
+        server.get('/internal/cat', forbidExternalFrontends, noCache, this.catEndpoints.getAllCats)
+    }
 }