Secure Headers are not in use

Was looking at the codebase for some stuff I've done in the past and [noticed this](https://github.com/atlassian/github-for-jira/blob/main/src/app.ts#L99):

```
setupFrontendApp(app);
secureHeaders(app);
```

Since it's using the express `use` concept, and that it's "using" _after the router is setup_, that means that all secure headers are essentially ignored until after the routes are completed, which means that this isn't securing anything.

I'm not sure what's being accomplished by having the security headers in a separate function since it's only used once?  Why not just add it inline with all other express app settings _right before_ the router is used?

![skeletor-until-we-meet-again](https://github.com/atlassian/github-for-jira/assets/573668/a8a0b2ca-4402-4921-8173-d6277b36eaed)


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Secure Headers are not in use #2491

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Uh oh!

Secure Headers are not in use #2491

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions