refactor: configurable security headers

kubeshop · Apr 4, 2024 · 6275488 · 6275488
1 parent cb75908
commit 6275488
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 4 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -31,6 +31,7 @@ COPY --from=build /app/packages/web/build /app/build
 
 COPY ./packages/web/scripts/env.sh /app/init/
 COPY ./packages/web/scripts/inject-base-href.sh /app/init/
+COPY ./packages/web/scripts/security.sh /app/init/
 
 RUN chmod +x /app/init/env.sh /app/init/inject-base-href.sh && \
     chmod a+w /etc/nginx/nginx.conf /app/build/index.html && \
@@ -49,6 +50,7 @@ CMD [ \
    cp -R /app/nginx/. /etc/nginx && \
    sh /app/init/env.sh env-config.js && \
    sh /app/init/inject-base-href.sh && \
+   sh /app/init/security.sh && \
    export DISABLE_IPV6=\"$([[ \"$ENABLE_IPV6\" = \"true\" ]] && echo \"false\" || echo \"true\")\" && \
    envsubst '$DISABLE_IPV6' < /etc/nginx/nginx.conf.tmpl | sed -e '1h;2,$H;$!d;g' -e 's/# cut true.*# end//g' > /etc/nginx/nginx.conf && \
    nginx -g \"daemon off;\"" ]
diff --git a/nginx/nginx.conf b/nginx/nginx.conf
@@ -44,9 +44,7 @@ http {
         gzip_min_length 0;
         gzip_types text/plain application/javascript text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/vnd.ms-fontobject application/x-font-ttf font/opentype;
 
-        add_header X-Frame-Options "SAMEORIGIN";
-        add_header X-Content-Type-Options "nosniff";
-        add_header Referrer-Policy "strict-origin-when-cross-origin";
-        add_header Content-Security-Policy "script-src 'self'; default-src 'self'; frame-ancestors 'self';";
+        #SecurityHeaders
+
     }
 }
diff --git a/packages/web/scripts/security.sh b/packages/web/scripts/security.sh
@@ -0,0 +1,20 @@
+#!/bin/sh
+
+tempFile=$(mktemp)
+cat > "${tempFile}" <<EOF
+
+        add_header X-Frame-Options "SAMEORIGIN";
+        add_header X-Content-Type-Options "nosniff";
+        add_header Referrer-Policy "strict-origin-when-cross-origin";
+        add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; frame-ancestors 'self'; connect-src 'self' http://${API_DOMAIN} https://${API_DOMAIN} ws://${API_DOMAIN} wss://${API_DOMAIN} blob:;";
+EOF
+
+if [ "${ENABLE_SECURITY_HEADERS}" = "true" ]; then
+  if grep -q "#SecurityHeaders" /etc/nginx/nginx.conf.tmpl; then
+    sed -i "/#SecurityHeaders/r ${tempFile}" /etc/nginx/nginx.conf.tmpl
+  fi
+fi
+
+rm "${tempFile}"
+
+cat /etc/nginx/nginx.conf.tmpl