From 0ed30b0bfe58df00bd430bc277d01ca1d44be890 Mon Sep 17 00:00:00 2001 From: Derek Roberts Date: Fri, 22 Sep 2023 19:45:17 -0700 Subject: [PATCH] Add CSP --- .github/workflows/merge.yml | 28 ++++++++++++++-------------- frontend/Caddyfile | 4 ++-- 2 files changed, 16 insertions(+), 16 deletions(-) diff --git a/.github/workflows/merge.yml b/.github/workflows/merge.yml index dc71126..05d5e6e 100644 --- a/.github/workflows/merge.yml +++ b/.github/workflows/merge.yml @@ -97,17 +97,17 @@ jobs: target: test tags: prod - ghcr-cleanup: - name: GHCR Cleanup - runs-on: ubuntu-latest - strategy: - matrix: - name: [backend, frontend] - steps: - - name: Keep last 50 - uses: actions/delete-package-versions@v4 - with: - package-name: "${{ github.event.repository.name }}/${{ matrix.name }}" - package-type: "container" - min-versions-to-keep: 50 - ignore-versions: "^(prod|test)$" + # ghcr-cleanup: + # name: GHCR Cleanup + # runs-on: ubuntu-latest + # strategy: + # matrix: + # name: [backend, frontend] + # steps: + # - name: Keep last 50 + # uses: actions/delete-package-versions@v4 + # with: + # package-name: "${{ github.event.repository.name }}/${{ matrix.name }}" + # package-type: "container" + # min-versions-to-keep: 50 + # ignore-versions: "^(prod|test)$" diff --git a/frontend/Caddyfile b/frontend/Caddyfile index 4bd8f84..a50dc14 100644 --- a/frontend/Caddyfile +++ b/frontend/Caddyfile @@ -23,10 +23,10 @@ Cache-Control "no-store, no-cache, must-revalidate, proxy-revalidate" X-Content-Type-Options "nosniff" Strict-Transport-Security "max-age=31536000" - Content-Security-Policy "base-uri 'self'; connect-src 'self' https://*.gov.bc.ca https://*.amazoncognito.com https://cognito-idp.ca-central-1.amazonaws.com; default-src 'self'; font-src 'self'; frame-src 'self' https://*.gov.bc.ca; img-src 'self'; manifest-src 'self'; media-src 'self'; object-src 'none'; script-src 'unsafe-inline' 'report-sample' 'self' https://cdn.jsdelivr.net/npm/bootstrap@5.3.0-alpha3/dist/js/bootstrap.bundle.min.js https://cdn.jsdelivr.net/npm/@popperjs/core@2.11.7/dist/umd/popper.min.js https://cdn.jsdelivr.net/npm/bootstrap@5.3.0-alpha3/dist/js/bootstrap.min.js; style-src 'report-sample' 'self' https://cdn.jsdelivr.net/npm/bootstrap@5.3.0-alpha3/dist/css/bootstrap.min.css; worker-src 'none';" + Content-Security-Policy "base-uri 'self'; connect-src 'self' https://*.gov.bc.ca https://*.amazoncognito.com https://*.cloudfront.net https://cognito-idp.ca-central-1.amazonaws.com; default-src 'self'; font-src 'self'; frame-src 'self' https://*.gov.bc.ca; img-src 'self'; manifest-src 'self'; media-src 'self'; object-src 'none'; script-src 'unsafe-inline' 'report-sample' 'self' https://cdn.jsdelivr.net/npm/bootstrap@5.3.0-alpha3/dist/js/bootstrap.bundle.min.js https://cdn.jsdelivr.net/npm/@popperjs/core@2.11.7/dist/umd/popper.min.js https://cdn.jsdelivr.net/npm/bootstrap@5.3.0-alpha3/dist/js/bootstrap.min.js; style-src 'report-sample' 'self' https://cdn.jsdelivr.net/npm/bootstrap@5.3.0-alpha3/dist/css/bootstrap.min.css; worker-src 'none';" Referrer-Policy "same-origin" } - + handle /env.js { header Content-Type "text/javascript" respond `window.config = {"VITE_USER_POOLS_ID":"{$VITE_USER_POOLS_ID}","VITE_USER_POOLS_WEB_CLIENT_ID":"{$VITE_USER_POOLS_WEB_CLIENT_ID}","VITE_REDIRECT_SIGN_OUT":"{$VITE_REDIRECT_SIGN_OUT}","VITE_ZONE":"{$VITE_ZONE}","VITE_CHES_FROM_EMAIL":"{$VITE_CHES_FROM_EMAIL}","VITE_CHES_ADMIN_EMAIL":"{$VITE_CHES_ADMIN_EMAIL}"};`