add security headers using Helmet

- use all Helmet's default headers except `X-DNS-Prefetch-Control`
- use `Referrer-Policy`
- use cache headers when:
  - a user is logged in, OR
  - a project is displayed

services/web/app/coffee/infrastructure/Server.coffee

@@ -6,6 +6,7 @@ metrics = require('metrics-sharelatex')
 crawlerLogger = require('./CrawlerLogger')
 expressLocals = require('./ExpressLocals')
 Router = require('../router')
+helmet = require "helmet"
 metrics.inc("startup")
 UserSessionsRedis = require('../Features/User/UserSessionsRedis')
 
@@ -143,6 +144,17 @@ webRouter.use (req, res, next) ->
 		res.status(503)
 		res.render("general/closed", {title:"maintenance"})
 
+# add security headers using Helmet
+webRouter.use (req, res, next) ->
+	isLoggedIn = AuthenticationController.isUserLoggedIn(req)
+	isProjectPage = !!req.path.match('^/project/[a-f0-9]{24}$')
+
+	helmet({ # note that more headers are added by default
+		dnsPrefetchControl: false
+		referrerPolicy: { policy: 'origin-when-cross-origin' }
+		noCache: isLoggedIn || isProjectPage
+	})(req, res, next)
+
 profiler = require "v8-profiler"
 privateApiRouter.get "/profile", (req, res) ->
 	time = parseInt(req.query.time || "1000")

services/web/package.json

@@ -26,6 +26,7 @@
     "express": "4.13.0",
     "express-session": "^1.14.2",
     "heapdump": "^0.3.7",
+    "helmet": "^3.8.1",
     "http-proxy": "^1.8.1",
     "ioredis": "^2.4.0",
     "jade": "~1.3.1",

services/web/test/acceptance/coffee/SecurityHeadersTests.coffee

@@ -0,0 +1,70 @@
+assert = require('chai').assert
+async = require('async')
+User = require('./helpers/User')
+request = require('./helpers/request')
+
+assert_has_common_headers = (response) ->
+	headers = response.headers
+	assert.equal(headers['x-frame-options'], 'SAMEORIGIN')
+	assert.equal(headers['strict-transport-security'], 'max-age=15552000; includeSubDomains')
+	assert.equal(headers['x-content-type-options'], 'nosniff')
+	assert.equal(headers['x-download-options'], 'noopen')
+	assert.equal(headers['x-xss-protection'], '1; mode=block')
+	assert.equal(headers['referrer-policy'], 'origin-when-cross-origin')
+
+assert_has_cache_headers = (response) ->
+	headers = response.headers
+	assert.equal(headers['surrogate-control'], 'no-store')
+	assert.equal(headers['cache-control'], 'no-store, no-cache, must-revalidate, proxy-revalidate')
+	assert.equal(headers['pragma'], 'no-cache')
+	assert.equal(headers['expires'], '0')
+
+assert_has_no_cache_headers = (response) ->
+	headers = response.headers
+	assert.isUndefined(headers['surrogate-control'])
+	assert.isUndefined(headers['cache-control'])
+	assert.isUndefined(headers['pragma'])
+	assert.isUndefined(headers['expires'])
+
+describe "SecurityHeaders", ->
+	before ->
+		@user = new User()
+
+	it 'should not have x-powered-by header', (done) ->
+		request.get '/', (err, res, body) =>
+			assert.isUndefined(res.headers['x-powered-by'])
+			done()
+
+	it 'should have all common headers', (done) ->
+		request.get '/', (err, res, body) =>
+			assert_has_common_headers res
+			done()
+
+	it 'should not have cache headers on public pages', (done) ->
+		request.get '/', (err, res, body) =>
+			assert_has_no_cache_headers res
+			done()
+
+	it 'should have cache headers when user is logged in', (done) ->
+		async.series [
+			(cb) => @user.login cb
+			(cb) => @user.request.get '/', cb
+			(cb) => @user.logout cb
+		], (err, results) =>
+			main_response = results[1][0]
+			assert_has_cache_headers main_response
+			done()
+
+	it 'should have cache headers on project page', (done) ->
+		async.series [
+			(cb) => @user.login cb
+			(cb) =>
+				@user.createProject "public-project", (error, project_id) =>
+					return done(error) if error?
+					@project_id = project_id
+					@user.makePublic @project_id, "readAndWrite", cb
+			(cb) => @user.logout cb
+		], (err, results) =>
+				request.get  "/project/#{@project_id}", (err, res, body) =>
+					assert_has_cache_headers res
+					done()