From da363c57aedf9a279fc6e7d2326ab6c7ef8c634d Mon Sep 17 00:00:00 2001 From: Sebastian Widmer Date: Fri, 31 Jan 2025 15:39:16 +0100 Subject: [PATCH 1/2] Set `Content-Security-Policy` header according to best practices Was not sure if we need to allow inline stuff or not in a quick look. --- docker/nginx.conf | 3 +++ 1 file changed, 3 insertions(+) diff --git a/docker/nginx.conf b/docker/nginx.conf index 9aecba23..3ebb61ef 100644 --- a/docker/nginx.conf +++ b/docker/nginx.conf @@ -6,6 +6,9 @@ server { index index.html; try_files $uri $uri/ /index.html?$args; + + add_header X-Frame-Options "DENY"; + add_header Content-Security-Policy "default-src 'none' ; connect-src 'self'; font-src 'self'; frame-ancestors 'none'; img-src 'self'; media-src 'self'; object-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; base-uri 'self'"; } location /appuio-api/ { proxy_pass ${APPUIO_API}; From 61758ecd33ec51aac0f72d39dec43e7000ed78f1 Mon Sep 17 00:00:00 2001 From: Sebastian Widmer Date: Fri, 31 Jan 2025 15:53:19 +0100 Subject: [PATCH 2/2] Less overambitious Content-Security-Policy The staging deployment is borked and I saw that we include some analytics js thingies. --- docker/nginx.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/nginx.conf b/docker/nginx.conf index 3ebb61ef..79831cbc 100644 --- a/docker/nginx.conf +++ b/docker/nginx.conf @@ -8,7 +8,7 @@ server { try_files $uri $uri/ /index.html?$args; add_header X-Frame-Options "DENY"; - add_header Content-Security-Policy "default-src 'none' ; connect-src 'self'; font-src 'self'; frame-ancestors 'none'; img-src 'self'; media-src 'self'; object-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; base-uri 'self'"; + add_header Content-Security-Policy "frame-ancestors 'none';"; } location /appuio-api/ { proxy_pass ${APPUIO_API};