all repos — searchix @ b53769462bf830f860b7d741a3d0801afdbc9aa2

Search engine for NixOS, nix-darwin, home-manager and NUR users

feat: make security headers stricter
Alan Pearce alan@alanpearce.eu
Thu, 30 May 2024 14:01:35 +0200
commit

b53769462bf830f860b7d741a3d0801afdbc9aa2

parent

4698a97974ae82e7bd8592828c58294b222a58ff

3 files changed, 34 insertions(+), 7 deletions(-)

jump to
M defaults.tomldefaults.toml
@@ -20,16 +20,16 @@ ExtraHeadHTML = '' 
 # Content-Security-Policy header to send with requests. Should only need changing if ExtraHeadHTML is used.
 [Web.ContentSecurityPolicy]
-base-uri = []
+base-uri = ["'none'"]
 block-all-mixed-content = false
 child-src = []
-connect-src = []
-default-src = ["'self'"]
+connect-src = ["'self'"]
+default-src = ["'none'"]
 font-src = []
-form-action = []
+form-action = ["'self'"]
 frame-ancestors = []
 frame-src = []
-img-src = []
+img-src = ["'self'"]
 manifest-src = []
 media-src = []
 navigate-to = []
@@ -45,7 +45,7 @@ sandbox = '' script-src = []
 script-src-attr = []
 script-src-elem = []
-style-src = []
+style-src = ["'self'"]
 style-src-attr = []
 style-src-elem = []
 trusted-types = []
@@ -54,7 +54,9 @@ worker-src = [] 
 # Extra headers to send with HTTP requests
 [Web.Headers]
+strict-transport-security = 'max-age=31536000'
 x-content-type-options = 'nosniff'
+x-frame-options = 'DENY'
 
 # Settings for the import job
 [Importer]
M internal/config/config.gointernal/config/config.go
@@ -117,6 +117,11 @@ return nil, errors.Wrap(err, "config error") 		}
 	}
 
+	config.Web.ContentSecurityPolicy.ScriptSrc = append(
+		config.Web.ContentSecurityPolicy.ScriptSrc,
+		config.Web.BaseURL.JoinPath("/static/").String(),
+	)
+
 	maps.DeleteFunc(config.Importer.Sources, func(_ string, v *Source) bool {
 		return !v.Enable
 	})
M internal/config/default.gointernal/config/default.go
@@ -1,6 +1,7 @@ package config
 
 import (
+	"strconv"
 	"time"
 
 	"github.com/pelletier/go-toml/v2"
@@ -11,6 +12,11 @@ Type:  GitHub, 	Owner: "NixOS",
 	Repo:  "nixpkgs",
 }
+
+const none = "'none'"
+const self = "'self'"
+
+const maxAge = (1 * 365 * 24 * time.Hour)
 
 var defaultConfig = Config{
 	DataPath: "./data",
@@ -20,10 +26,24 @@ Port:          3000, 		BaseURL:       mustURL("http://localhost:3000"),
 		Environment:   "development",
 		ContentSecurityPolicy: CSP{
-			DefaultSrc: []string{"'self'"},
+			DefaultSrc: []string{none},
+			BaseURI:    []string{none},
+			ImgSrc:     []string{self},
+			StyleSrc:   []string{self},
+			// added dynamically based on final value of BaseURL
+			ScriptSrc:  []string{},
+			FormAction: []string{self},
+			ConnectSrc: []string{self},
 		},
 		Headers: map[string]string{
+			"strict-transport-security": "max-age=" + strconv.FormatFloat(
+				maxAge.Seconds(),
+				'f',
+				0,
+				64,
+			),
 			"x-content-type-options": "nosniff",
+			"x-frame-options":        "DENY",
 		},
 	},
 	Importer: &Importer{