From 3133c0949a3d2c488de5e51156afff2edec86973 Mon Sep 17 00:00:00 2001
From: Roland Bewick <roland.bewick@gmail.com>
Date: Sun, 11 Aug 2024 13:34:47 +0700
Subject: [PATCH] feat: add secure middleware, move CSP to header

---
 frontend/index.html     |  4 ----
 frontend/vite.config.ts | 16 ++++++++++------
 http/http_service.go    |  6 ++++++
 3 files changed, 16 insertions(+), 10 deletions(-)

diff --git a/frontend/index.html b/frontend/index.html
index d6b9e841..a5f0a634 100644
--- a/frontend/index.html
+++ b/frontend/index.html
@@ -8,10 +8,6 @@
     <link rel="icon" href="/favicon.svg" type="image/svg+xml" />
     <link rel="apple-touch-icon" href="/icon-512.png" />
     <meta name="theme-color" content="#000000" />
-    <meta
-      http-equiv="Content-Security-Policy"
-      content="default-src 'self'; img-src 'self' https://uploads.getalby-assets.com https://getalby.com;"
-    />
   </head>
   <body class="min-h-screen">
     <div id="root" class="min-h-screen"></div>
diff --git a/frontend/vite.config.ts b/frontend/vite.config.ts
index 83151db2..87232345 100644
--- a/frontend/vite.config.ts
+++ b/frontend/vite.config.ts
@@ -45,7 +45,7 @@ export default defineConfig(({ command }) => ({
         globPatterns: ["**/*.{js,css,html,png,svg,ico}"],
       },
     }),
-    ...(command === "serve" ? [insertDevCSPNoncePlugin] : []),
+    ...(command === "serve" ? [insertDevCSPPlugin] : []),
   ],
   server: {
     proxy: {
@@ -64,19 +64,23 @@ export default defineConfig(({ command }) => ({
   html:
     command === "serve"
       ? {
-          cspNonce: "PLACEHOLDER",
+          cspNonce: "DEVELOPMENT",
         }
       : undefined,
 }));
 
-const insertDevCSPNoncePlugin: Plugin = {
-  name: "transform-html",
+const DEVELOPMENT_NONCE = "'nonce-DEVELOPMENT'";
+
+const insertDevCSPPlugin: Plugin = {
+  name: "dev-csp",
   transformIndexHtml: {
     enforce: "pre",
     transform(html) {
       return html.replace(
-        "default-src 'self'",
-        "default-src 'self' 'nonce-PLACEHOLDER'"
+        "<head>",
+        `<head>
+        <!-- DEV-ONLY CSP - when making changes here, also update the CSP header in http_service.go (without the nonce!) -->
+        <meta http-equiv="Content-Security-Policy" content="default-src 'self' ${DEVELOPMENT_NONCE}; img-src 'self' https://uploads.getalby-assets.com https://getalby.com;"/>`
       );
     },
   },
diff --git a/http/http_service.go b/http/http_service.go
index 54823721..2895ccde 100644
--- a/http/http_service.go
+++ b/http/http_service.go
@@ -58,6 +58,12 @@ func NewHttpService(svc service.Service, eventPublisher events.EventPublisher) *
 func (httpSvc *HttpService) RegisterSharedRoutes(e *echo.Echo) {
 	e.HideBanner = true
 
+	e.Use(middleware.SecureWithConfig(middleware.SecureConfig{
+		ContentTypeNosniff:    "nosniff",
+		XFrameOptions:         "DENY",
+		ContentSecurityPolicy: "default-src 'self'; img-src 'self' https://uploads.getalby-assets.com https://getalby.com;",
+		ReferrerPolicy:        "no-referrer",
+	}))
 	e.Use(middleware.RequestLoggerWithConfig(middleware.RequestLoggerConfig{
 		LogURI:       true,
 		LogStatus:    true,