Make CSP directives more strict

OpenShock · Jan 8, 2025 · b0ef8c7 · b0ef8c7
1 parent 3871411
commit b0ef8c7
Show file tree

Hide file tree

Showing 4 changed files with 9 additions and 5 deletions.
diff --git a/.env b/.env
@@ -5,6 +5,7 @@ PUBLIC_SITE_DESCRIPTION=a free and open-source ecosystem to control various shoc
 PUBLIC_SITE_DOMAIN=INVALID
 PUBLIC_SITE_SHORT_DOMAIN=INVALID
 PUBLIC_BACKEND_API_DOMAIN=INVALID
+PUBLIC_GATEWAY_CSP_WILDCARD=INVALID
 PUBLIC_GITHUB_PROJECT_URL=https://github.com/OpenShock
 PUBLIC_DISCORD_INVITE_URL=https://discord.gg/OpenShock
 

diff --git a/.env.development b/.env.development
@@ -1,5 +1,6 @@
 PUBLIC_SITE_DOMAIN=openshock.dev
 PUBLIC_SITE_SHORT_DOMAIN=openshock.dev
 PUBLIC_BACKEND_API_DOMAIN=api.openshock.dev
+PUBLIC_GATEWAY_CSP_WILDCARD=*.openshock.dev
 
 PUBLIC_TURNSTILE_DEV_BYPASS_VALUE=dev-bypass
diff --git a/.env.production b/.env.production
@@ -1,3 +1,4 @@
 PUBLIC_SITE_DOMAIN=openshock.app
 PUBLIC_SITE_SHORT_DOMAIN=openshock.app
-PUBLIC_BACKEND_API_DOMAIN=api.openshock.app
+PUBLIC_BACKEND_API_DOMAIN=api.openshock.app
+PUBLIC_GATEWAY_CSP_WILDCARD=*.openshock.app
diff --git a/svelte.config.js b/svelte.config.js
@@ -48,15 +48,16 @@ const config = {
         'img-src': ['self', 'https://www.gravatar.com'],
         'connect-src': [
           'self',
-          'https://*.' + env.PUBLIC_SITE_DOMAIN,
-          'wss://*.' + env.PUBLIC_SITE_DOMAIN,
+          'https://' + env.PUBLIC_BACKEND_API_DOMAIN,
+          'wss://' + env.PUBLIC_BACKEND_API_DOMAIN,
+          'wss://' + env.PUBLIC_GATEWAY_CSP_WILDCARD,
           'https://firmware.openshock.org',
-          'https://api.pwnedpasswords.com',
+          'https://api.pwnedpasswords.com/range/',
           'https://cloudflareinsights.com',
         ],
         'script-src': [
           'self',
-          'https://challenges.cloudflare.com',
+          'https://challenges.cloudflare.com/turnstile/',
           'https://static.cloudflareinsights.com',
         ],
       },