Add config option for report URI in CSP

This option is needed as it's currently not possible to add an report
URI by the directives array. This option also allows to get CSP reports
not only on docker based setup but also on our heroku instances.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
This commit is contained in:
Sheogorath 2018-03-10 14:34:14 +01:00
parent 21be5a5517
commit efa490a50f
No known key found for this signature in database
GPG key ID: 1F05CC3635CDDFFD
4 changed files with 12 additions and 2 deletions

View file

@ -207,6 +207,7 @@ There are some config settings you need to change in the files below.
| `HMD_HSTS_MAX_AGE` | `31536000` | max duration in seconds to tell clients to keep HSTS status (default is a year) | | `HMD_HSTS_MAX_AGE` | `31536000` | max duration in seconds to tell clients to keep HSTS status (default is a year) |
| `HMD_HSTS_PRELOAD` | `true` | whether to allow preloading of the site's HSTS status (e.g. into browsers) | | `HMD_HSTS_PRELOAD` | `true` | whether to allow preloading of the site's HSTS status (e.g. into browsers) |
| `HMD_CSP_ENABLE` | `true` | whether to enable Content Security Policy (directives cannot be configured with environment variables) | | `HMD_CSP_ENABLE` | `true` | whether to enable Content Security Policy (directives cannot be configured with environment variables) |
| `HMD_CSP_REPORTURI` | `https://<someid>.report-uri.com/r/d/csp/enforce` | Allows to add a URL for CSP reports in case of violations |
## Application settings `config.json` ## Application settings `config.json`

View file

@ -18,7 +18,8 @@ module.exports = {
directives: { directives: {
}, },
addDefaults: true, addDefaults: true,
upgradeInsecureRequests: 'auto' upgradeInsecureRequests: 'auto',
reportURI: undefined
}, },
protocolusessl: false, protocolusessl: false,
usecdn: true, usecdn: true,

View file

@ -15,7 +15,8 @@ module.exports = {
preload: toBooleanConfig(process.env.HMD_HSTS_PRELOAD) preload: toBooleanConfig(process.env.HMD_HSTS_PRELOAD)
}, },
csp: { csp: {
enable: toBooleanConfig(process.env.HMD_CSP_ENABLE) enable: toBooleanConfig(process.env.HMD_CSP_ENABLE),
reportURI: process.env.HMD_CSP_REPORTURI
}, },
protocolusessl: toBooleanConfig(process.env.HMD_PROTOCOL_USESSL), protocolusessl: toBooleanConfig(process.env.HMD_PROTOCOL_USESSL),
alloworigin: toArrayConfig(process.env.HMD_ALLOW_ORIGIN), alloworigin: toArrayConfig(process.env.HMD_ALLOW_ORIGIN),

View file

@ -30,6 +30,7 @@ CspStrategy.computeDirectives = function () {
addInlineScriptExceptions(directives) addInlineScriptExceptions(directives)
} }
addUpgradeUnsafeRequestsOptionTo(directives) addUpgradeUnsafeRequestsOptionTo(directives)
addReportURI(directives)
return directives return directives
} }
@ -72,6 +73,12 @@ function addUpgradeUnsafeRequestsOptionTo (directives) {
} }
} }
function addReportURI (directives) {
if (config.csp.reportURI) {
directives.reportUri = config.csp.reportURI
}
}
CspStrategy.addNonceToLocals = function (req, res, next) { CspStrategy.addNonceToLocals = function (req, res, next) {
res.locals.nonce = uuid.v4() res.locals.nonce = uuid.v4()
next() next()