feat: add csp header configuration for review

hpi-schul-cloud · Jun 17, 2024 · e9e3809 · e9e3809
1 parent 18d0bdc
commit e9e3809
Show file tree

Hide file tree

Showing 4 changed files with 27 additions and 4 deletions.
diff --git a/roles/bettermarks_proxy/defaults/main.yml b/roles/bettermarks_proxy/defaults/main.yml
@@ -4,6 +4,7 @@ bettermarks_proxy_enabled_instances:
   - translations
   - apps
   - events
+  - csp-report
 bettermarks_subdomains:
   apm: apm
   school: school
@@ -16,6 +17,7 @@ bettermarks_proxy_subdomains:
   apps: apps
   events: events
   translations: translations
+  csp: csp-report
 bettermarks_domain: bettermarks.com
 proxy_identification_header: "x-schulcloud-proxy"
 bettermarks_proxy_ingress_enabled: false
@@ -41,4 +43,4 @@ bettermarks_proxy_chart_values:
   ingress:
     enabled: "{{ bettermarks_proxy_ingress_enabled }}"
     tls: "{{ bettermarks_proxy_ingress_tls }}"
-    annotations: "{{ bettermarks_proxy_ingress_annotations }}"
+    annotations: "{{ bettermarks_proxy_ingress_annotations }}"
diff --git a/roles/bettermarks_proxy/templates/apps.conf.j2 b/roles/bettermarks_proxy/templates/apps.conf.j2
@@ -3,6 +3,11 @@ server{
   location / {
     proxy_hide_header 'Access-Control-Allow-Origin';
     add_header 'Access-Control-Allow-Origin' $http_origin;
+    # Hide original CSP Headers
+    proxy_hide_header 'Content-Security-Policy';
+    proxy_hide_header 'Content-Security-Policy-Report-Only';
+    # We don't know how to add root domain.
+    add_header 'Content-Security-Policy-Report-Only' "default-src 'self' 'unsafe-eval' 'unsafe-inline' *.{{ bettermarks_proxy_maindomain }} {{ root_domain }}; report-uri https://{{ bettermarks_proxy_subdomains['csp'] }}.{{ bettermarks_proxy_maindomain }}/csp/report-only";
     proxy_set_header {{ proxy_identification_header }} true;
     proxy_pass https://{{ bettermarks_subdomain }}.{{ bettermarks_domain }};
     proxy_ssl_server_name on;
@@ -15,4 +20,4 @@ server{
     sub_filter_once off;
     sub_filter_types application/json  text/javascript;
   }
-}
+}
diff --git a/roles/bettermarks_proxy/templates/basic.conf.j2 b/roles/bettermarks_proxy/templates/basic.conf.j2
@@ -3,9 +3,13 @@ server{
   location / {
     proxy_hide_header 'Access-Control-Allow-Origin';
     add_header 'Access-Control-Allow-Origin' $http_origin;
+    # Hide original CSP Headers
+    proxy_hide_header 'Content-Security-Policy';
+    proxy_hide_header 'Content-Security-Policy-Report-Only';
+    add_header 'Content-Security-Policy-Report-Only' "default-src 'self' 'unsafe-eval' 'unsafe-inline' *.{{ bettermarks_proxy_maindomain }} {{ root_domain }}; report-uri https://{{ bettermarks_proxy_subdomains['csp'] }}.{{ bettermarks_proxy_maindomain }}/csp/report-only";
     proxy_set_header {{ proxy_identification_header }} true;
     proxy_pass https://{{ bettermarks_subdomain }}.{{ bettermarks_domain }};
     proxy_ssl_server_name on;
     proxy_intercept_errors off;
   }
-}
+}
diff --git a/roles/bettermarks_proxy/templates/school.conf.j2 b/roles/bettermarks_proxy/templates/school.conf.j2
@@ -7,6 +7,10 @@ server{
     add_header 'Access-Control-Allow-Origin' $http_origin;
     proxy_hide_header 'Access-Control-Allow-Credentials';
     add_header 'Access-Control-Allow-Credentials' true;
+    # Hide original CSP Headers
+    proxy_hide_header 'Content-Security-Policy';
+    proxy_hide_header 'Content-Security-Policy-Report-Only';
+    add_header 'Content-Security-Policy-Report-Only' "default-src 'self' 'unsafe-eval' 'unsafe-inline' *.{{ bettermarks_proxy_maindomain }} {{ root_domain }}; report-uri https://{{ bettermarks_proxy_subdomains['csp'] }}.{{ bettermarks_proxy_maindomain }}/csp/report-only";
     # Proxy to the origin
     proxy_set_header {{ proxy_identification_header }} true;
     proxy_pass https://{{ bettermarks_subdomain }}.{{ bettermarks_domain }};
@@ -27,6 +31,10 @@ server{
     add_header 'Access-Control-Allow-Origin' $http_origin;
     proxy_hide_header 'Access-Control-Allow-Credentials';
     add_header 'Access-Control-Allow-Credentials' true;
+    # Hide original CSP Headers
+    proxy_hide_header 'Content-Security-Policy';
+    proxy_hide_header 'Content-Security-Policy-Report-Only';
+    add_header 'Content-Security-Policy-Report-Only' "default-src 'self' 'unsafe-eval' 'unsafe-inline' *.{{ bettermarks_proxy_maindomain }} {{ root_domain }}; report-uri https://{{ bettermarks_proxy_subdomains['csp'] }}.{{ bettermarks_proxy_maindomain }}/csp/report-only";
     # Proxy to the origin
     proxy_set_header {{ proxy_identification_header }} true;
     proxy_pass https://{{ bettermarks_subdomain }}.{{ bettermarks_domain }};
@@ -49,6 +57,10 @@ server{
     add_header 'Access-Control-Allow-Origin' $http_origin;
     proxy_hide_header 'Access-Control-Allow-Credentials';
     add_header 'Access-Control-Allow-Credentials' true;
+    # Hide original CSP Headers
+    proxy_hide_header 'Content-Security-Policy';
+    proxy_hide_header 'Content-Security-Policy-Report-Only';
+    add_header 'Content-Security-Policy-Report-Only' "default-src 'self' 'unsafe-eval' 'unsafe-inline' *.{{ bettermarks_proxy_maindomain }} {{ root_domain }}; report-uri https://{{ bettermarks_proxy_subdomains['csp'] }}.{{ bettermarks_proxy_maindomain }}/csp/report-only";
     # Proxy to the origin
     proxy_set_header {{ proxy_identification_header }} true;
     proxy_pass https://{{ bettermarks_subdomain }}.{{ bettermarks_domain }};
@@ -64,4 +76,4 @@ server{
     sub_filter_once off;
     sub_filter_types application/json;
   }
-}
+}