diff --git a/infra/helm/meshdb/templates/nginx_configmap.yaml b/infra/helm/meshdb/templates/nginx_configmap.yaml index f06b1955..59668d9c 100644 --- a/infra/helm/meshdb/templates/nginx_configmap.yaml +++ b/infra/helm/meshdb/templates/nginx_configmap.yaml @@ -20,9 +20,8 @@ data: location / { proxy_pass http://{{ include "meshdb.fullname" . }}-meshweb.{{ .Values.meshdb_app_namespace }}.svc.cluster.local:{{ .Values.meshweb.port }}/; proxy_set_header Host $host; - #proxy_set_header X-Real-IP $remote_addr; - #proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - #proxy_redirect off; + proxy_set_header X-Forwarded-Proto https; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } } diff --git a/pyproject.toml b/pyproject.toml index 2225e9a4..2c62ca8f 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -10,6 +10,8 @@ dependencies = [ "drf-hooks==0.1.3", "psycopg2-binary==2.9.*", "gunicorn==22.0.*", + "django-csp==3.*", + "django-permissions-policy==4.22.*", "python-dotenv==1.0.*", "stringcase==1.2.*", "python-dotenv==1.0.*", diff --git a/src/meshdb/settings.py b/src/meshdb/settings.py index b0cc51a5..920b092b 100644 --- a/src/meshdb/settings.py +++ b/src/meshdb/settings.py @@ -13,7 +13,7 @@ import logging import os from pathlib import Path -from typing import Any, Dict +from typing import Any, Dict, List from django.http.request import HttpRequest from dotenv import load_dotenv @@ -52,6 +52,51 @@ USE_X_FORWARDED_HOST = True +SECURE_HSTS_SECONDS = 30 # TODO: Increase me to 31536000 https://github.com/nycmeshnet/meshdb/issues/642 +SECURE_HSTS_PRELOAD = False +SECURE_HSTS_INCLUDE_SUBDOMAINS = False + +SECURE_PROXY_SSL_HEADER = ("HTTP_X_FORWARDED_PROTO", "https") +SECURE_REFERRER_POLICY = "strict-origin-when-cross-origin" + +CSP_REPORT_ONLY = True # TODO: Set me to false https://github.com/nycmeshnet/meshdb/issues/644 +CSP_DEFAULT_SRC = [ + "'self'", + "*.nycmesh.net", + "maps.googleapis.com", + "maps.gstatic.com", + "fonts.googleapis.com", + "fonts.gstatic.com", + "'unsafe-inline'", # TODO: Remove me https://github.com/nycmeshnet/meshdb/issues/645 + "*.browser-intake-us5-datadoghq.com", +] +CSP_REPORT_URI = [ + "https://csp-report.browser-intake-us5-datadoghq.com/api/v2/logs" + "?dd-api-key=pubca00a94e49167539d2e291bea2b0f20f&dd-evp-origin=content-security-policy" + f"&ddsource=csp-report&ddtags=service%3Ameshdb%2Cenv%3A{MESHDB_ENVIRONMENT}" +] + +# We don't use any of these advanced features, so be safe and disallow any scripts from +# using them on our pages +PERMISSIONS_POLICY: Dict[str, List[str]] = { + "accelerometer": [], + "ambient-light-sensor": [], + "autoplay": [], + "camera": [], + "display-capture": [], + "document-domain": [], + "encrypted-media": [], + "fullscreen": [], + "geolocation": [], + "gyroscope": [], + "interest-cohort": [], + "magnetometer": [], + "microphone": [], + "midi": [], + "payment": [], + "usb": [], +} + LOS_URL = os.environ.get("LOS_URL", "https://devlos.mesh.nycmesh.net") MAP_URL = os.environ.get("MAP_BASE_URL", "https://devmap.mesh.nycmesh.net") FORMS_URL = os.environ.get("FORMS_URL", "https://devforms.mesh.nycmesh.net") @@ -118,6 +163,10 @@ "http://127.0.0.1", ] + CSP_DEFAULT_SRC += [ + "*", + ] + # Application definition INSTALLED_APPS = [ @@ -148,6 +197,8 @@ MIDDLEWARE = [ "django.middleware.security.SecurityMiddleware", "corsheaders.middleware.CorsMiddleware", + "django_permissions_policy.PermissionsPolicyMiddleware", + "csp.middleware.CSPMiddleware", "django.contrib.sessions.middleware.SessionMiddleware", "django.middleware.common.CommonMiddleware", "django.middleware.csrf.CsrfViewMiddleware",