Add various HTTP headers to improve security

nycmeshnet · Oct 12, 2024 · ee99ca1 · ee99ca1
1 parent dc2f0f3
commit ee99ca1
Show file tree

Hide file tree

Showing 3 changed files with 47 additions and 3 deletions.
diff --git a/infra/helm/meshdb/templates/nginx_configmap.yaml b/infra/helm/meshdb/templates/nginx_configmap.yaml
@@ -20,9 +20,8 @@ data:
       location / {
         proxy_pass http://{{ include "meshdb.fullname" . }}-meshweb.{{ .Values.meshdb_app_namespace }}.svc.cluster.local:{{ .Values.meshweb.port }}/;
         proxy_set_header Host $host;
-        #proxy_set_header X-Real-IP $remote_addr;
-        #proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        #proxy_redirect off;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
       }
     }
 
diff --git a/pyproject.toml b/pyproject.toml
@@ -10,6 +10,8 @@ dependencies = [
     "drf-hooks==0.1.3",
     "psycopg2-binary==2.9.*",
     "gunicorn==22.0.*",
+    "django-csp==3.*",
+    "django-permissions-policy==4.22.*",
     "python-dotenv==1.0.*",
     "stringcase==1.2.*",
     "python-dotenv==1.0.*",

diff --git a/src/meshdb/settings.py b/src/meshdb/settings.py
@@ -52,6 +52,43 @@
 
 USE_X_FORWARDED_HOST = True
 
+SECURE_HSTS_SECONDS = 30  # TODO: Increase me to 31536000 https://github.com/nycmeshnet/meshdb/issues/642
+SECURE_HSTS_PRELOAD = True
+SECURE_HSTS_INCLUDE_SUBDOMAINS = True
+
+SECURE_PROXY_SSL_HEADER = ("HTTP_X_FORWARDED_PROTO", "https")
+SECURE_REFERRER_POLICY = "strict-origin-when-cross-origin"
+
+CSP_STYLE_SRC = [
+    "'self'",
+    "*.nycmesh.net",
+    "maps.googleapis.com",
+    "maps.gstatic.com",
+    "fonts.googleapis.com",
+    "fonts.gstatic.com",
+]
+
+# We don't use any of these advanced features, so be safe and disallow any scripts from
+# using them on our pages
+PERMISSIONS_POLICY = {
+    "accelerometer": [],
+    "ambient-light-sensor": [],
+    "autoplay": [],
+    "camera": [],
+    "display-capture": [],
+    "document-domain": [],
+    "encrypted-media": [],
+    "fullscreen": [],
+    "geolocation": [],
+    "gyroscope": [],
+    "interest-cohort": [],
+    "magnetometer": [],
+    "microphone": [],
+    "midi": [],
+    "payment": [],
+    "usb": [],
+}
+
 LOS_URL = os.environ.get("LOS_URL", "https://devlos.mesh.nycmesh.net")
 MAP_URL = os.environ.get("MAP_BASE_URL", "https://devmap.mesh.nycmesh.net")
 FORMS_URL = os.environ.get("FORMS_URL", "https://devforms.mesh.nycmesh.net")
@@ -118,6 +155,10 @@
         "http://127.0.0.1",
     ]
 
+    CSP_STYLE_SRC += [
+        "*",
+    ]
+
 # Application definition
 
 INSTALLED_APPS = [
@@ -148,6 +189,8 @@
 MIDDLEWARE = [
     "django.middleware.security.SecurityMiddleware",
     "corsheaders.middleware.CorsMiddleware",
+    "django_permissions_policy.PermissionsPolicyMiddleware",
+    "csp.middleware.CSPMiddleware",
     "django.contrib.sessions.middleware.SessionMiddleware",
     "django.middleware.common.CommonMiddleware",
     "django.middleware.csrf.CsrfViewMiddleware",