Add config option for report URI in CSP
This option is needed as it's currently not possible to add an report URI by the directives array. This option also allows to get CSP reports not only on docker based setup but also on our heroku instances. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
This commit is contained in:
parent
21be5a5517
commit
efa490a50f
4 changed files with 12 additions and 2 deletions
|
@ -207,6 +207,7 @@ There are some config settings you need to change in the files below.
|
||||||
| `HMD_HSTS_MAX_AGE` | `31536000` | max duration in seconds to tell clients to keep HSTS status (default is a year) |
|
| `HMD_HSTS_MAX_AGE` | `31536000` | max duration in seconds to tell clients to keep HSTS status (default is a year) |
|
||||||
| `HMD_HSTS_PRELOAD` | `true` | whether to allow preloading of the site's HSTS status (e.g. into browsers) |
|
| `HMD_HSTS_PRELOAD` | `true` | whether to allow preloading of the site's HSTS status (e.g. into browsers) |
|
||||||
| `HMD_CSP_ENABLE` | `true` | whether to enable Content Security Policy (directives cannot be configured with environment variables) |
|
| `HMD_CSP_ENABLE` | `true` | whether to enable Content Security Policy (directives cannot be configured with environment variables) |
|
||||||
|
| `HMD_CSP_REPORTURI` | `https://<someid>.report-uri.com/r/d/csp/enforce` | Allows to add a URL for CSP reports in case of violations |
|
||||||
|
|
||||||
## Application settings `config.json`
|
## Application settings `config.json`
|
||||||
|
|
||||||
|
|
|
@ -18,7 +18,8 @@ module.exports = {
|
||||||
directives: {
|
directives: {
|
||||||
},
|
},
|
||||||
addDefaults: true,
|
addDefaults: true,
|
||||||
upgradeInsecureRequests: 'auto'
|
upgradeInsecureRequests: 'auto',
|
||||||
|
reportURI: undefined
|
||||||
},
|
},
|
||||||
protocolusessl: false,
|
protocolusessl: false,
|
||||||
usecdn: true,
|
usecdn: true,
|
||||||
|
|
|
@ -15,7 +15,8 @@ module.exports = {
|
||||||
preload: toBooleanConfig(process.env.HMD_HSTS_PRELOAD)
|
preload: toBooleanConfig(process.env.HMD_HSTS_PRELOAD)
|
||||||
},
|
},
|
||||||
csp: {
|
csp: {
|
||||||
enable: toBooleanConfig(process.env.HMD_CSP_ENABLE)
|
enable: toBooleanConfig(process.env.HMD_CSP_ENABLE),
|
||||||
|
reportURI: process.env.HMD_CSP_REPORTURI
|
||||||
},
|
},
|
||||||
protocolusessl: toBooleanConfig(process.env.HMD_PROTOCOL_USESSL),
|
protocolusessl: toBooleanConfig(process.env.HMD_PROTOCOL_USESSL),
|
||||||
alloworigin: toArrayConfig(process.env.HMD_ALLOW_ORIGIN),
|
alloworigin: toArrayConfig(process.env.HMD_ALLOW_ORIGIN),
|
||||||
|
|
|
@ -30,6 +30,7 @@ CspStrategy.computeDirectives = function () {
|
||||||
addInlineScriptExceptions(directives)
|
addInlineScriptExceptions(directives)
|
||||||
}
|
}
|
||||||
addUpgradeUnsafeRequestsOptionTo(directives)
|
addUpgradeUnsafeRequestsOptionTo(directives)
|
||||||
|
addReportURI(directives)
|
||||||
return directives
|
return directives
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -72,6 +73,12 @@ function addUpgradeUnsafeRequestsOptionTo (directives) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
function addReportURI (directives) {
|
||||||
|
if (config.csp.reportURI) {
|
||||||
|
directives.reportUri = config.csp.reportURI
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
CspStrategy.addNonceToLocals = function (req, res, next) {
|
CspStrategy.addNonceToLocals = function (req, res, next) {
|
||||||
res.locals.nonce = uuid.v4()
|
res.locals.nonce = uuid.v4()
|
||||||
next()
|
next()
|
||||||
|
|
Loading…
Reference in a new issue