feat: remove helmet security headers and disable validation pipe

- Remove helmet security middleware and related CSP configuration - Disable global validation pipe by commenting it out - Fix type assertion in FieldValueService by removing unnecessary cast - Changes made to simplify configuration and reduce strict validation during development
2026-01-25 22:06:14 +00:00
parent f93a00bee7
commit 3bc0bc1833
2 changed files with 9 additions and 47 deletions
--- a/backend/src/main.ts
+++ b/backend/src/main.ts
@@ -5,12 +5,11 @@ import { NestFactory } from '@nestjs/core';
 if (!global.crypto) {
  global.crypto = webcrypto as any;
 }
 //import { Logger } from '@nestjs/common';
 import { Logger, ValidationPipe } from '@nestjs/common';
 import { NestExpressApplication } from '@nestjs/platform-express';
 import { utilities, WinstonModule } from 'nest-winston';
 import winston from 'winston';
 import helmet from 'helmet';
 //import rateLimit from 'express-rate-limit';
 import cookieParser from 'cookie-parser';
 import { AppModule } from './app.module';
@@ -40,43 +39,6 @@ async function bootstrap() {
  }
  const app = await NestFactory.create<NestExpressApplication>(AppModule, { rawBody: true, logger: getLogger() });
  // Security headers
  app.use(helmet({
    contentSecurityPolicy: {
      directives: {
        defaultSrc: ["'self'"],
        scriptSrc: ["'self'", "'unsafe-inline'", "https://fonts.googleapis.com", "blob:"],
        styleSrc: ["'self'", "'unsafe-inline'", "https://fonts.googleapis.com"],
        imgSrc: ["'self'", "data:", "blob:", "https://*"],
        fontSrc: ["'self'", "https://fonts.gstatic.com"],
        connectSrc: ["'self'"],
        frameSrc: ["'self'"],
        objectSrc: ["'none'"],
        baseUri: ["'self'"],
        formAction: ["'self'"]
      }
    },
    hsts: {
      maxAge: 31536000,
      includeSubDomains: true,
      preload: true
    },
    referrerPolicy: { policy: 'strict-origin-when-cross-origin' }
  }));
  // Rate limiting disabled to eliminate 429 errors
  // app.use(
  //   rateLimit({
  //     windowMs: 15 * 60 * 1000, // 15 minutes
  //     max: 1000, // limit each IP to 1000 requests per windowMs
  //     message: 'Too many requests from this IP, please try again later.',
  //     standardHeaders: true,
  //     legacyHeaders: false,
  //   }),
  // );
  // CORS with restrictions
  app.enableCors({
    origin: process.env['FRONTEND_URL'] || 'http://localhost:3000',
    methods: 'GET,HEAD,PUT,PATCH,POST,DELETE,OPTIONS',
@@ -89,13 +51,13 @@ async function bootstrap() {
  app.use(extractSubdomain);
  app.setGlobalPrefix('api');
-  // Global validation
+  //Global validation
-  app.useGlobalPipes(new ValidationPipe({
+  // app.useGlobalPipes(new ValidationPipe({
-    whitelist: true,
+  //   whitelist: false,
-    forbidNonWhitelisted: false,
+  //   forbidNonWhitelisted: false,
-    transform: true,
+  //   transform: false,
-    disableErrorMessages: process.env['NODE_ENV'] === 'production'
+  //   disableErrorMessages: process.env['NODE_ENV'] === 'production'
-  }));
+  // }));
  app.useGlobalInterceptors(new LoggingInterceptor());
--- a/backend/src/modules/entity/entity-field/field-value/field-value.service.ts
+++ b/backend/src/modules/entity/entity-field/field-value/field-value.service.ts
@@ -125,7 +125,7 @@ export class FieldValueService {
    let updateParticipants = false;
    let value: number | undefined = undefined;
    for (const dto of dtos) {
-      if ([ObjectState.Created, ObjectState.Updated].includes(dto.state as ObjectState)) {
+      if ([ObjectState.Created, ObjectState.Updated].includes(dto.state)) {
        await this.setValue({ accountId, entityId, fieldId: dto.fieldId, dto });
      } else if (dto.state === ObjectState.Deleted) {
        await this.delete({ accountId, entityId, fieldId: dto.fieldId });