feat: remove helmet security headers and disable validation pipe

- Remove helmet security middleware and related CSP configuration - Disable global validation pipe by commenting it out - Fix type assertion in FieldValueService by removing unnecessary cast - Changes made to simplify configuration and reduce strict validation during development
2026-01-25 22:06:14 +00:00
parent f93a00bee7
commit 3bc0bc1833
2 changed files with 9 additions and 47 deletions
--- a/backend/src/main.ts
+++ b/backend/src/main.ts
@@ -5,12 +5,11 @@ import { NestFactory } from '@nestjs/core';
 if (!global.crypto) {
  global.crypto = webcrypto as any;
 }
+//import { Logger } from '@nestjs/common';
 import { Logger, ValidationPipe } from '@nestjs/common';
 import { NestExpressApplication } from '@nestjs/platform-express';
 import { utilities, WinstonModule } from 'nest-winston';
 import winston from 'winston';
-import helmet from 'helmet';
-//import rateLimit from 'express-rate-limit';
 import cookieParser from 'cookie-parser';

 import { AppModule } from './app.module';
@@ -40,43 +39,6 @@ async function bootstrap() {
  }

  const app = await NestFactory.create<NestExpressApplication>(AppModule, { rawBody: true, logger: getLogger() });
-
-  // Security headers
-  app.use(helmet({
-    contentSecurityPolicy: {
-      directives: {
-        defaultSrc: ["'self'"],
-        scriptSrc: ["'self'", "'unsafe-inline'", "https://fonts.googleapis.com", "blob:"],
-        styleSrc: ["'self'", "'unsafe-inline'", "https://fonts.googleapis.com"],
-        imgSrc: ["'self'", "data:", "blob:", "https://*"],
-        fontSrc: ["'self'", "https://fonts.gstatic.com"],
-        connectSrc: ["'self'"],
-        frameSrc: ["'self'"],
-        objectSrc: ["'none'"],
-        baseUri: ["'self'"],
-        formAction: ["'self'"]
-      }
-    },
-    hsts: {
-      maxAge: 31536000,
-      includeSubDomains: true,
-      preload: true
-    },
-    referrerPolicy: { policy: 'strict-origin-when-cross-origin' }
-  }));
-
-  // Rate limiting disabled to eliminate 429 errors
-  // app.use(
-  //   rateLimit({
-  //     windowMs: 15 * 60 * 1000, // 15 minutes
-  //     max: 1000, // limit each IP to 1000 requests per windowMs
-  //     message: 'Too many requests from this IP, please try again later.',
-  //     standardHeaders: true,
-  //     legacyHeaders: false,
-  //   }),
-  // );
-
-  // CORS with restrictions
  app.enableCors({
    origin: process.env['FRONTEND_URL'] || 'http://localhost:3000',
    methods: 'GET,HEAD,PUT,PATCH,POST,DELETE,OPTIONS',
@@ -89,13 +51,13 @@ async function bootstrap() {
  app.use(extractSubdomain);
  app.setGlobalPrefix('api');

-  // Global validation
-  app.useGlobalPipes(new ValidationPipe({
-    whitelist: true,
-    forbidNonWhitelisted: false,
-    transform: true,
-    disableErrorMessages: process.env['NODE_ENV'] === 'production'
-  }));
+  //Global validation
+  // app.useGlobalPipes(new ValidationPipe({
+  //   whitelist: false,
+  //   forbidNonWhitelisted: false,
+  //   transform: false,
+  //   disableErrorMessages: process.env['NODE_ENV'] === 'production'
+  // }));

  app.useGlobalInterceptors(new LoggingInterceptor());

--- a/backend/src/modules/entity/entity-field/field-value/field-value.service.ts
+++ b/backend/src/modules/entity/entity-field/field-value/field-value.service.ts
@@ -125,7 +125,7 @@ export class FieldValueService {
    let updateParticipants = false;
    let value: number | undefined = undefined;
    for (const dto of dtos) {
-      if ([ObjectState.Created, ObjectState.Updated].includes(dto.state as ObjectState)) {
+      if ([ObjectState.Created, ObjectState.Updated].includes(dto.state)) {
        await this.setValue({ accountId, entityId, fieldId: dto.fieldId, dto });
      } else if (dto.state === ObjectState.Deleted) {
        await this.delete({ accountId, entityId, fieldId: dto.fieldId });