fix: harden authentication security

backend/src/app.ts

@@ -8,32 +8,37 @@ import authRouter from "./routes/auth";
 import healthRouter from "./routes/health";
 import racesRouter from "./routes/races";
 
+const TURNSTILE_ORIGIN = "https://challenges.cloudflare.com";
+
+export function buildHelmetOptions(securityProfile: string) {
+  return {
+    contentSecurityPolicy:
+      securityProfile === "production"
+        ? {
+            directives: {
+              defaultSrc: ["'self'"],
+              scriptSrc: ["'self'", TURNSTILE_ORIGIN],
+              styleSrc: ["'self'"],
+              imgSrc: ["'self'", "data:", "https:"],
+              connectSrc: ["'self'", TURNSTILE_ORIGIN],
+              frameSrc: [TURNSTILE_ORIGIN],
+              objectSrc: ["'none'"],
+              frameAncestors: ["'none'"],
+            },
+          }
+        : false,
+    hsts:
+      securityProfile === "production"
+        ? { maxAge: 31_536_000, includeSubDomains: true }
+        : false,
+    referrerPolicy: { policy: "strict-origin-when-cross-origin" as const },
+  };
+}
+
 export function createApp(): express.Express {
   const app = express();
 
-  app.use(
-    helmet({
-      contentSecurityPolicy:
-        config.securityProfile === "production"
-          ? {
-              directives: {
-                defaultSrc: ["'self'"],
-                scriptSrc: ["'self'"],
-                styleSrc: ["'self'"],
-                imgSrc: ["'self'", "data:", "https:"],
-                connectSrc: ["'self'"],
-                objectSrc: ["'none'"],
-                frameAncestors: ["'none'"],
-              },
-            }
-          : false,
-      hsts:
-        config.securityProfile === "production"
-          ? { maxAge: 31_536_000, includeSubDomains: true }
-          : false,
-      referrerPolicy: { policy: "strict-origin-when-cross-origin" },
-    }),
-  );
+  app.use(helmet(buildHelmetOptions(config.securityProfile)));
   app.use(
     cors({
       origin: config.corsOrigin,