bcgov · sukanya-rath · May 11, 2024 · May 9, 2024 · May 10, 2024 · May 10, 2024
@@ -64,6 +64,7 @@ const metricsMiddleware = promBundle({
   promRegistry: register,
 });
 const app = express();
+app.set('trust proxy', 1);
 const apiRouter = express.Router();
 
 const JWTStrategy = passportJWT.Strategy;
@@ -88,29 +89,33 @@ app.use(
     limit: `${MAX_NETWORK_TRANSFER_SIZE_BYTES}b`,
   }),
 );
-
+let proxy = true;
 const cookie = {
+  secure: true,
   httpOnly: true,
   maxAge: 1800000, //30 minutes in ms. this is same as session time. DO NOT MODIFY, IF MODIFIED, MAKE SURE SAME AS SESSION TIME OUT VALUE.
+
 };
+if ('local' === config.get('environment')) {
+  cookie.secure = false;
+  proxy = false;
+}
 
 //sets cookies for security purposes (prevent cookie access, allow secure connections only, etc)
 const sess = {
   name: 'fin_pay_transparency_cookie',
   secret: config.get('oidc:clientSecret'),
   resave: false,
-  saveUninitialized: false,
+  saveUninitialized: true,
   cookie: cookie,
+  proxy,
   store: new fileSession({
     path: resolve('./', config.get('server:sessionPath')),
     logFn: (msg: string) => {
       logger.silly(msg);
     },
   }),
 };
-if ('production' === config.get('environment')) {
-  app.set('trust proxy', 1);
-}
 app.use(session(sess));
 //initialize routing and session. Cookies are now only reachable via requests (not js)
 app.use(passport.initialize());
@@ -137,7 +142,6 @@ function addLoginPassportUse(
         callbackURL: callbackURI,
         scope: 'bceidbusiness',
         kc_idp_hint: kc_idp_hint,
-        sessionKey: 'fin-pay-transparency',
       },
       (
         _issuer,

@@ -42,7 +42,7 @@ spec:
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           env:
             - name: BACKEND_URL
-              value: http://{{ .Release.Name }}-backend
+              value: "{{ .Release.Name }}-backend"
             - name: LOG_LEVEL
               value: {{ .Values.env.logLevel }}
             - name: SNOWPLOW_URL

@@ -32,7 +32,7 @@
   rewrite @spa_router {http.matchers.file.relative}
 
   header {
-    X-Frame-Options "SAMEORIGIN"
+    X-Frame-Options "DENY"
     X-XSS-Protection "1;mode=block"
     Cache-Control "no-store, no-cache, must-revalidate, proxy-revalidate"
     X-Content-Type-Options "nosniff"
@@ -41,12 +41,20 @@
      script-src 'self' 'unsafe-eval' https://www2.gov.bc.ca https://spm.apps.gov.bc.ca/com.snowplowanalytics.snowplow/tp2 ;
      style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://use.fontawesome.com;
      font-src 'self' https://fonts.gstatic.com;
-     img-src 'self' data: https://fonts.googleapis.com http://www.w3.org https://*.gov.bc.ca"
-    Referrer-Policy "same-origin"
+     img-src 'self' data: https://fonts.googleapis.com http://www.w3.org https://*.gov.bc.ca;
+     frame-src 'none'; 
+     manifest-src 'self'; 
+     worker-src 'self'; 
+     upgrade-insecure-requests; 
+     block-all-mixed-content;"
+    Referrer-Policy "no-referrer, strict-origin-when-cross-origin"
     Feature-Policy "fullscreen 'self'; camera 'none'; microphone 'none'"
+    -Server
   }
   # Proxy requests to API service
-  reverse_proxy /api/* {$BACKEND_URL}
+  reverse_proxy /api/* {$BACKEND_URL}{
+    header_up X-Forwarded-Proto https
+  }
 }
 :3001 {
   handle /health {