Skip to content

Commit ac6453d

Browse files
achoreinachorein
committed
chore: add security http header
1 parent 3a1eb4c commit ac6453d

7 files changed

Lines changed: 102 additions & 1 deletion

File tree

docker/nginx-spa.conf

Lines changed: 69 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,69 @@
1+
user nginx;
2+
worker_processes auto;
3+
4+
error_log /var/log/nginx/error.log warn;
5+
6+
events {
7+
worker_connections 1024;
8+
}
9+
10+
http {
11+
server_tokens off;
12+
absolute_redirect off;
13+
access_log /var/log/nginx/access.log;
14+
default_type application/octet-stream;
15+
error_log /var/log/nginx/error.log;
16+
include /etc/nginx/mime.types;
17+
keepalive_timeout 3000;
18+
sendfile on;
19+
20+
server {
21+
listen 8080;
22+
root /usr/share/nginx/html;
23+
index index.html;
24+
server_name_in_redirect on;
25+
26+
add_header Referrer-Policy "no-referrer" always;
27+
add_header X-XSS-Protection "0" always;
28+
add_header X-Frame-Options "deny" always;
29+
add_header X-Content-Type-Options "nosniff" always;
30+
add_header Content-Security-Policy "default-src 'self'; base-uri 'self'; font-src 'self' https: data:; form-action 'self'; frame-ancestors 'self'; img-src 'self' data: https://*.openstreetmap.org https://jedonnemonavis.numerique.gouv.fr; object-src 'none'; script-src 'self' https: 'unsafe-inline' 'unsafe-eval'; script-src-attr 'none'; style-src 'self' https: 'unsafe-inline'; connect-src 'self' https:; worker-src 'self' blob:;" always;
31+
32+
charset utf-8;
33+
34+
gzip on;
35+
gzip_disable "msie6";
36+
gzip_vary on;
37+
gzip_proxied any;
38+
gzip_comp_level 6;
39+
gzip_buffers 16 8k;
40+
gzip_http_version 1.1;
41+
gzip_min_length 256;
42+
gzip_types text/css application/json application/javascript application/x-javascript text/javascript application/vnd.ms-fontobject application/x-font-ttf font/opentype image/svg+xml image/x-icon;
43+
44+
client_max_body_size 32m;
45+
error_page 500 502 503 504 /50x.html;
46+
47+
location / {
48+
try_files $uri $uri.html $uri/index.html $uri/ /index.html;
49+
}
50+
51+
location /50x.html {
52+
root /var/lib/nginx/html;
53+
}
54+
55+
location /live {
56+
default_type text/plain;
57+
return 200 'OK';
58+
}
59+
60+
include /etc/nginx/ready_response.conf;
61+
location /ready {
62+
default_type text/plain;
63+
if ($ready_response = 'OK') {
64+
return 200 $ready_response;
65+
}
66+
return 500 'Not Ready';
67+
}
68+
}
69+
}

packages/backend/src/app.ts

Lines changed: 15 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -48,7 +48,21 @@ const app = express();
4848

4949
const log = logger(module.filename);
5050

51-
app.use(helmet());
51+
app.use(
52+
helmet({
53+
contentSecurityPolicy: {
54+
directives: {
55+
"object-src": ["'none'"],
56+
"script-src": ["'self'"],
57+
},
58+
},
59+
referrerPolicy: { policy: "no-referrer" },
60+
}),
61+
);
62+
app.use((_req, res, next) => {
63+
res.setHeader("X-XSS-Protection", "0");
64+
next();
65+
});
5266

5367
const whitelist = [
5468
config.frontUsagersDomain,

packages/external-api/src/main.ts

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,16 @@ patchNestJsSwagger();
1111

1212
async function bootstrap() {
1313
const app = await NestFactory.create(AppModule, { bufferLogs: true });
14+
app.use((_req, res, next) => {
15+
res.setHeader("Referrer-Policy", "no-referrer");
16+
res.setHeader("X-XSS-Protection", "0");
17+
res.setHeader("X-Content-Type-Options", "nosniff");
18+
res.setHeader(
19+
"Content-Security-Policy",
20+
"default-src 'self'; object-src 'none'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'",
21+
);
22+
next();
23+
});
1424
app.useLogger(app.get(Logger));
1525
const config = new DocumentBuilder()
1626
.setTitle("VAO Api")

packages/frontend-bo/Dockerfile

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -64,4 +64,5 @@ RUN --mount=type=secret,id=sentry_auth_token \
6464

6565
FROM ghcr.io/socialgouv/docker/nginx4spa:8.2.4
6666

67+
COPY docker/nginx-spa.conf /etc/nginx/nginx.conf
6768
COPY --from=builder --chown=101:101 /app/packages/frontend-bo/.output/public /usr/share/nginx/html

packages/frontend-bo/nuxt.config.ts

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -65,7 +65,10 @@ export default defineNuxtConfig({
6565
security: {
6666
headers: {
6767
crossOriginEmbedderPolicy: "unsafe-none",
68+
referrerPolicy: "no-referrer",
69+
xXSSProtection: "0",
6870
contentSecurityPolicy: {
71+
"object-src": ["'none'"],
6972
"img-src": ["'self'", "*.openstreetmap.org", "data:"],
7073
"script-src": [
7174
"'self'",

packages/frontend-usagers/Dockerfile

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -65,4 +65,5 @@ RUN --mount=type=secret,id=sentry_auth_token \
6565

6666
FROM ghcr.io/socialgouv/docker/nginx4spa:8.2.4
6767

68+
COPY docker/nginx-spa.conf /etc/nginx/nginx.conf
6869
COPY --from=builder --chown=101:101 /app/packages/frontend-usagers/.output/public /usr/share/nginx/html

packages/frontend-usagers/nuxt.config.ts

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -60,7 +60,10 @@ export default defineNuxtConfig({
6060
security: {
6161
headers: {
6262
crossOriginEmbedderPolicy: "unsafe-none",
63+
referrerPolicy: "no-referrer",
64+
xXSSProtection: "0",
6365
contentSecurityPolicy: {
66+
"object-src": ["'none'"],
6467
"img-src": [
6568
"'self'",
6669
"*.openstreetmap.org",

0 commit comments

Comments
 (0)