Add various HTTP headers to improve security (#643)

* Add various HTTP headers to improve security

* Set CSP to report only

* Fix STYLE -> DEFAULT for debug CSP

* Add missing type

* Add 'unsafe-inline' and send CSP reports to datadog

* Fix datadog CSP report delivery

* Update infra/helm/meshdb/templates/nginx_configmap.yaml

Co-authored-by: james-otten <[email protected]>

* Disable HSTS subdomain and preload flags

---------

Co-authored-by: james-otten <[email protected]>

infra/helm/meshdb/templates/nginx_configmap.yaml

@@ -20,9 +20,8 @@ data:
       location / {
         proxy_pass http://{{ include "meshdb.fullname" . }}-meshweb.{{ .Values.meshdb_app_namespace }}.svc.cluster.local:{{ .Values.meshweb.port }}/;
         proxy_set_header Host $host;
-        #proxy_set_header X-Real-IP $remote_addr;
-        #proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        #proxy_redirect off;
+        proxy_set_header X-Forwarded-Proto https;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
       }
     }
 

pyproject.toml

@@ -10,6 +10,8 @@ dependencies = [
     "drf-hooks==0.1.3",
     "psycopg2-binary==2.9.*",
     "gunicorn==22.0.*",
+    "django-csp==3.*",
+    "django-permissions-policy==4.22.*",
     "python-dotenv==1.0.*",
     "stringcase==1.2.*",
     "python-dotenv==1.0.*",

src/meshdb/settings.py

@@ -13,7 +13,7 @@
 import logging
 import os
 from pathlib import Path
-from typing import Any, Dict
+from typing import Any, Dict, List
 
 from django.http.request import HttpRequest
 from dotenv import load_dotenv
@@ -52,6 +52,51 @@
 
 USE_X_FORWARDED_HOST = True
 
+SECURE_HSTS_SECONDS = 30  # TODO: Increase me to 31536000 https://github.com/nycmeshnet/meshdb/issues/642
+SECURE_HSTS_PRELOAD = False
+SECURE_HSTS_INCLUDE_SUBDOMAINS = False
+
+SECURE_PROXY_SSL_HEADER = ("HTTP_X_FORWARDED_PROTO", "https")
+SECURE_REFERRER_POLICY = "strict-origin-when-cross-origin"
+
+CSP_REPORT_ONLY = True  # TODO: Set me to false https://github.com/nycmeshnet/meshdb/issues/644
+CSP_DEFAULT_SRC = [
+    "'self'",
+    "*.nycmesh.net",
+    "maps.googleapis.com",
+    "maps.gstatic.com",
+    "fonts.googleapis.com",
+    "fonts.gstatic.com",
+    "'unsafe-inline'",  # TODO: Remove me https://github.com/nycmeshnet/meshdb/issues/645
+    "*.browser-intake-us5-datadoghq.com",
+]
+CSP_REPORT_URI = [
+    "https://csp-report.browser-intake-us5-datadoghq.com/api/v2/logs"
+    "?dd-api-key=pubca00a94e49167539d2e291bea2b0f20f&dd-evp-origin=content-security-policy"
+    f"&ddsource=csp-report&ddtags=service%3Ameshdb%2Cenv%3A{MESHDB_ENVIRONMENT}"
+]
+
+# We don't use any of these advanced features, so be safe and disallow any scripts from
+# using them on our pages
+PERMISSIONS_POLICY: Dict[str, List[str]] = {
+    "accelerometer": [],
+    "ambient-light-sensor": [],
+    "autoplay": [],
+    "camera": [],
+    "display-capture": [],
+    "document-domain": [],
+    "encrypted-media": [],
+    "fullscreen": [],
+    "geolocation": [],
+    "gyroscope": [],
+    "interest-cohort": [],
+    "magnetometer": [],
+    "microphone": [],
+    "midi": [],
+    "payment": [],
+    "usb": [],
+}
+
 LOS_URL = os.environ.get("LOS_URL", "https://devlos.mesh.nycmesh.net")
 MAP_URL = os.environ.get("MAP_BASE_URL", "https://devmap.mesh.nycmesh.net")
 FORMS_URL = os.environ.get("FORMS_URL", "https://devforms.mesh.nycmesh.net")
@@ -118,6 +163,10 @@
         "http://127.0.0.1",
     ]
 
+    CSP_DEFAULT_SRC += [
+        "*",
+    ]
+
 # Application definition
 
 INSTALLED_APPS = [
@@ -148,6 +197,8 @@
 MIDDLEWARE = [
     "django.middleware.security.SecurityMiddleware",
     "corsheaders.middleware.CorsMiddleware",
+    "django_permissions_policy.PermissionsPolicyMiddleware",
+    "csp.middleware.CSPMiddleware",
     "django.contrib.sessions.middleware.SessionMiddleware",
     "django.middleware.common.CommonMiddleware",
     "django.middleware.csrf.CsrfViewMiddleware",