diff options
| -rw-r--r-- | defaults.toml | 14 | ||||
| -rw-r--r-- | internal/config/config.go | 5 | ||||
| -rw-r--r-- | internal/config/default.go | 22 |
3 files changed, 34 insertions, 7 deletions
diff --git a/defaults.toml b/defaults.toml index 3822d02..6285de0 100644 --- a/defaults.toml +++ b/defaults.toml @@ -20,16 +20,16 @@ ExtraHeadHTML = '' # Content-Security-Policy header to send with requests. Should only need changing if ExtraHeadHTML is used. [Web.ContentSecurityPolicy] -base-uri = [] +base-uri = ["'none'"] block-all-mixed-content = false child-src = [] -connect-src = [] -default-src = ["'self'"] +connect-src = ["'self'"] +default-src = ["'none'"] font-src = [] -form-action = [] +form-action = ["'self'"] frame-ancestors = [] frame-src = [] -img-src = [] +img-src = ["'self'"] manifest-src = [] media-src = [] navigate-to = [] @@ -45,7 +45,7 @@ sandbox = '' script-src = [] script-src-attr = [] script-src-elem = [] -style-src = [] +style-src = ["'self'"] style-src-attr = [] style-src-elem = [] trusted-types = [] @@ -54,7 +54,9 @@ worker-src = [] # Extra headers to send with HTTP requests [Web.Headers] +strict-transport-security = 'max-age=31536000' x-content-type-options = 'nosniff' +x-frame-options = 'DENY' # Settings for the import job [Importer] diff --git a/internal/config/config.go b/internal/config/config.go index 81c5f3c..c8739f0 100644 --- a/internal/config/config.go +++ b/internal/config/config.go @@ -117,6 +117,11 @@ func GetConfig(filename string) (*Config, error) { } } + config.Web.ContentSecurityPolicy.ScriptSrc = append( + config.Web.ContentSecurityPolicy.ScriptSrc, + config.Web.BaseURL.JoinPath("/static/").String(), + ) + maps.DeleteFunc(config.Importer.Sources, func(_ string, v *Source) bool { return !v.Enable }) diff --git a/internal/config/default.go b/internal/config/default.go index 370057e..5e7b388 100644 --- a/internal/config/default.go +++ b/internal/config/default.go @@ -1,6 +1,7 @@ package config import ( + "strconv" "time" "github.com/pelletier/go-toml/v2" @@ -12,6 +13,11 @@ var nixpkgs = Repository{ Repo: "nixpkgs", } +const none = "'none'" +const self = "'self'" + +const maxAge = (1 * 365 * 24 * time.Hour) + var defaultConfig = Config{ DataPath: "./data", Web: &Web{ @@ -20,10 +26,24 @@ var defaultConfig = Config{ BaseURL: mustURL("http://localhost:3000"), Environment: "development", ContentSecurityPolicy: CSP{ - DefaultSrc: []string{"'self'"}, + DefaultSrc: []string{none}, + BaseURI: []string{none}, + ImgSrc: []string{self}, + StyleSrc: []string{self}, + // added dynamically based on final value of BaseURL + ScriptSrc: []string{}, + FormAction: []string{self}, + ConnectSrc: []string{self}, }, Headers: map[string]string{ + "strict-transport-security": "max-age=" + strconv.FormatFloat( + maxAge.Seconds(), + 'f', + 0, + 64, + ), "x-content-type-options": "nosniff", + "x-frame-options": "DENY", }, }, Importer: &Importer{ |