Fourth draft of CSP- test on staging
parent
cb3db3eb69
commit
553d4e70b8
|
@ -36,29 +36,21 @@ module FarmBot
|
||||||
# ¯\_(ツ)_/¯
|
# ¯\_(ツ)_/¯
|
||||||
$API_URL = "//#{ Rails.application.routes.default_url_options[:host] }:#{ Rails.application.routes.default_url_options[:port] }"
|
$API_URL = "//#{ Rails.application.routes.default_url_options[:host] }:#{ Rails.application.routes.default_url_options[:port] }"
|
||||||
SecureHeaders::Configuration.default do |config|
|
SecureHeaders::Configuration.default do |config|
|
||||||
config.cookies = {
|
config.hsts = "max-age=#{1.week.to_i}"
|
||||||
secure: true, # mark all cookies as "Secure"
|
config.x_frame_options = "DENY"
|
||||||
httponly: true, # mark all cookies as "HttpOnly"
|
config.x_content_type_options = "nosniff"
|
||||||
samesite: {
|
config.x_xss_protection = "1; mode=block"
|
||||||
lax: true # mark all cookies as SameSite=lax
|
config.x_download_options = "noopen"
|
||||||
}
|
|
||||||
}
|
|
||||||
# Add "; preload" and submit the site to hstspreload.org for best protection.
|
|
||||||
config.hsts = "max-age=#{1.week.to_i}"
|
|
||||||
config.x_frame_options = "DENY"
|
|
||||||
config.x_content_type_options = "nosniff"
|
|
||||||
config.x_xss_protection = "1; mode=block"
|
|
||||||
config.x_download_options = "noopen"
|
|
||||||
config.x_permitted_cross_domain_policies = "none"
|
config.x_permitted_cross_domain_policies = "none"
|
||||||
config.referrer_policy = %w(origin-when-cross-origin strict-origin-when-cross-origin)
|
config.referrer_policy = %w(
|
||||||
config.csp = {
|
origin-when-cross-origin
|
||||||
# preserve_schemes: true, # default: false. Schemes are removed from host sources to save bytes and discourage mixed content.
|
strict-origin-when-cross-origin
|
||||||
|
)
|
||||||
# directive values: these values will directly translate into source directives
|
config.csp = {
|
||||||
default_src: %w(https: 'self'),
|
default_src: %w(https: 'self'),
|
||||||
base_uri: %w('self'),
|
base_uri: %w('self'),
|
||||||
block_all_mixed_content: true, # see http://www.w3.org/TR/mixed-content/
|
block_all_mixed_content: true,
|
||||||
child_src: %w('self'), # if child-src isn't supported, the value for frame-src will be set.
|
child_src: %w('self'),
|
||||||
connect_src: [ENV["MQTT_HOST"],
|
connect_src: [ENV["MQTT_HOST"],
|
||||||
"#{ENV["API_HOST"]}:#{ENV["API_PORT"]}",
|
"#{ENV["API_HOST"]}:#{ENV["API_PORT"]}",
|
||||||
"api.github.com",
|
"api.github.com",
|
||||||
|
@ -66,19 +58,40 @@ module FarmBot
|
||||||
"openfarm.cc",
|
"openfarm.cc",
|
||||||
"api.rollbar.com"] +
|
"api.rollbar.com"] +
|
||||||
(Rails.env.production? ? %w(wss:) : %w(ws: localhost:3000 localhost:3808)),
|
(Rails.env.production? ? %w(wss:) : %w(ws: localhost:3000 localhost:3808)),
|
||||||
font_src: %w('self' data: maxcdn.bootstrapcdn.com fonts.googleapis.com fonts.gstatic.com),
|
font_src: %w(
|
||||||
form_action: %w('self'), # React forms sometimes post to ''
|
'self'
|
||||||
|
data:
|
||||||
|
maxcdn.bootstrapcdn.com
|
||||||
|
fonts.googleapis.com
|
||||||
|
fonts.gstatic.com
|
||||||
|
),
|
||||||
|
form_action: %w('self'),
|
||||||
frame_ancestors: %w('none'),
|
frame_ancestors: %w('none'),
|
||||||
img_src: %w(* data:), # We need "*" to support webcam users.
|
img_src: %w(* data:), # We need "*" to support webcam users.
|
||||||
manifest_src: %w('self'),
|
manifest_src: %w('self'),
|
||||||
media_src: %w(),
|
media_src: %w(),
|
||||||
object_src: %w(),
|
object_src: %w(),
|
||||||
sandbox: %w(allow-scripts allow-forms allow-same-origin allow-modals),
|
sandbox: %w(
|
||||||
|
allow-scripts
|
||||||
|
allow-forms
|
||||||
|
allow-same-origin
|
||||||
|
allow-modals
|
||||||
|
),
|
||||||
plugin_types: %w(),
|
plugin_types: %w(),
|
||||||
script_src: %w('self' 'unsafe-eval' 'unsafe-inline' cdnjs.cloudflare.com) +
|
script_src: %w(
|
||||||
(Rails.env.production? ? [] : %w(chrome-extension: localhost:3808)),
|
'self'
|
||||||
style_src: %w('unsafe-inline' fonts.googleapis.com
|
'unsafe-eval'
|
||||||
maxcdn.bootstrapcdn.com fonts.gstatic.com),
|
'unsafe-inline'
|
||||||
|
cdnjs.cloudflare.com
|
||||||
|
chrome-extension:
|
||||||
|
localhost:3808
|
||||||
|
),
|
||||||
|
style_src: %w(
|
||||||
|
'unsafe-inline'
|
||||||
|
fonts.googleapis.com
|
||||||
|
maxcdn.bootstrapcdn.com
|
||||||
|
fonts.gstatic.com
|
||||||
|
),
|
||||||
worker_src: %w(),
|
worker_src: %w(),
|
||||||
upgrade_insecure_requests: false, # WHY? Some people run webcam feeds
|
upgrade_insecure_requests: false, # WHY? Some people run webcam feeds
|
||||||
# over plain http://. I wish they
|
# over plain http://. I wish they
|
||||||
|
|
Loading…
Reference in New Issue