From b21f6b3108dc5eceb6367759a487cc5684ea9695 Mon Sep 17 00:00:00 2001
From: Feng Xiang <fxiang@redhat.com>
Date: Thu, 14 Jul 2022 12:00:29 -0400
Subject: [PATCH] Fix http response headers KPMG Pen test

Signed-off-by: Feng Xiang <fxiang@redhat.com>
---
 app.js | 13 ++++---------
 1 file changed, 4 insertions(+), 9 deletions(-)

diff --git a/app.js b/app.js
index 35fb17521e..8129070a3f 100644
--- a/app.js
+++ b/app.js
@@ -65,8 +65,10 @@ if (process.env.NODE_ENV === 'production') {
     helmet({
       // in production these headers are set by ingress.open-cluster-management.io
       frameguard: false,
-      noSniff: true,
-      xssFilter: true
+      hsts: {
+        maxAge:            63072000,
+        preload:           true
+      }
     })
   )
 
@@ -81,13 +83,6 @@ if (process.env.NODE_ENV === 'production') {
   app.use('*', morgan('dev'))
 }
 
-app.use((req, res, next) => {
-  res.removeHeader('X-Frame-Options')
-  res.removeHeader('X-Content-Type-Options')
-  res.removeHeader('X-Xss-Protection')
-  next()
-})
-
 const csrfMiddleware = csurf({
   cookie: {
     httpOnly: false,