fix(core): add CSP headers for security (#1004)

Co-authored-by: Simon <simon@aam-digital.com>
Aam-Digital · Jul 25, 2023 · 13a92be · 13a92be
1 parent 5028765
commit 13a92be
Show file tree

Hide file tree

Showing 4 changed files with 33 additions and 2 deletions.
diff --git a/angular.json b/angular.json
@@ -56,7 +56,14 @@
                   "maximumWarning": "6kb"
                 }
               ],
-              "optimization": true,
+              "optimization": {
+                "scripts": true,
+                "styles": {
+                  "minify": true,
+                  "inlineCritical": false
+                },
+                "fonts": true
+              },
               "outputHashing": "all",
               "namedChunks": false,
               "extractLicenses": true,

diff --git a/build/Dockerfile b/build/Dockerfile
@@ -73,6 +73,16 @@ ENV PORT=80
 ENV COUCHDB_URL="http://localhost"
 # The url to a nominatim instance, see https://nominatim.org/
 ENV NOMINATIM_URL="https://nominatim.openstreetmap.org"
+
+# content security policy headers
+ENV CSP_REPORT_URI=""
+# overwrite the Content-Security-Policy rules (report-uri is added automatically)
+## default includes all required whitelists for production server
+## to disable any CSP blocking, set to "default-src *  data: blob: filesystem: about: ws: wss: 'unsafe-inline' 'unsafe-eval'"
+ENV CSP="default-src 'self' 'unsafe-eval' https://sentry.io https://matomo.aam-digital.org  https://*.aam-digital.com https://api.github.com/repos/Aam-Digital/ 'sha256-Sh1PNRUktjifFwuOicavxmlAcFpZMbUqQGiCIoKhDI8='; style-src 'self' 'unsafe-inline'; img-src 'self' data: https://*.tile.openstreetmap.org/; font-src 'self' data:"
+### 'sha256-Sh1PNRUktjifFwuOicavxmlAcFpZMbUqQGiCIoKhDI8=' for index.html writing browser details
+### 'unsafe-eval' required for pouchdb https://github.com/pouchdb/pouchdb/issues/7853#issuecomment-535020600
+
 # variables are inserted into the nginx config
-CMD envsubst '$$PORT $$COUCHDB_URL $$NOMINATIM_URL' < /etc/nginx/templates/default.conf > /etc/nginx/conf.d/default.conf &&\
+CMD envsubst '$$PORT $$COUCHDB_URL $$NOMINATIM_URL $$CSP $$CSP_REPORT_URI' < /etc/nginx/templates/default.conf > /etc/nginx/conf.d/default.conf &&\
     nginx -g 'daemon off;'
diff --git a/build/README.md b/build/README.md
@@ -10,6 +10,14 @@ for every official (tagged) build.
 ## How to build & publish a new image
 You can simply create a new git tag and the CI setup will build and publish a docker image for that version.
 
+## Building locally
+Run the following commands from the root folder to build, run and kill the application on your local machine:
+```
+docker build -f build/Dockerfile -t aam/digital:latest .
+docker run -p=80:80 --name aam-digital aam/digital:latest
+docker stop aam-digital
+```
+
 ## How does the official release process work?
 We use [semantic-release](https://github.com/semantic-release/semantic-release) to automatically create new versions.
 Our process roughly follows the [GitFlow](https://www.atlassian.com/git/tutorials/comparing-workflows/gitflow-workflow) process,

diff --git a/build/default.conf b/build/default.conf
@@ -10,6 +10,12 @@ server {
 
     root /usr/share/nginx/html;
 
+    add_header Content-Security-Policy-Report-Only "${CSP}; report-uri ${CSP_REPORT_URI}";
+
+    # TODO: consider adding `trusted-types angular angular#unsafe-bypass; require-trusted-types-for 'script';` CSP in future
+    add_header X-Frame-Options: SAMEORIGIN; # only applies in older browsers, CSP frame-ancestors takes prevalence https://stackoverflow.com/a/40417609/1473411
+    add_header X-Content-Type-Options: nosniff;
+
     # Catch requests to the assets folder
     # These should not be forwarded to the index.html
     # This currently includes a fallback for previous requests including a locale