Add report to header config (#30)

* Add report to header config * Support report only mode on csp * Expose all headers as configs * Remove reportOnly from directives * Add reportOnly config to CSP fixture config * Update sample and mock envs * Remove report-only fixture
onaio · Jun 29, 2022 · 80fd0e6 · 80fd0e6
1 parent 7374620
commit 80fd0e6
Show file tree

Hide file tree

Showing 5 changed files with 34 additions and 1 deletion.
diff --git a/.env.sample b/.env.sample
@@ -38,3 +38,6 @@ EXPRESS_CONTENT_SECURITY_POLICY_CONFIG=`{"default-src":["'self'"]}`
 EXPRESS_REDIS_STAND_ALONE_URL=redis://username:[email protected]:6379/4
 
 EXPRESS_REDIS_SENTINEL_CONFIG='{"name":"master","sentinelUsername":"u_name","sentinelPassword":"pass","db":4,"sentinels":[{"host":"127.0.0.1","port":6379},{"host":"127.0.0.1","port":6379}]}'
+
+# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-to. `Map<string, stringifiedJson>`.
+EXPRESS_RESPONSE_HEADERS='{"Report-To":"{ \"group\": \"csp-endpoint\", \"max_age\": 10886400, \"endpoints\": [{ \"url\": \"https://example.com/endpoint\" }] }", "Access-Control-Allow-Headers": "GET"}'
diff --git a/src/app/index.ts b/src/app/index.ts
@@ -39,6 +39,7 @@ import {
   EXPRESS_REDIS_STAND_ALONE_URL,
   EXPRESS_REDIS_SENTINEL_CONFIG,
   EXPRESS_CONTENT_SECURITY_POLICY_CONFIG,
+  EXPRESS_RESPONSE_HEADERS,
 } from '../configs/envs';
 import { SESSION_IS_EXPIRED, TOKEN_NOT_FOUND, TOKEN_REFRESH_FAILED } from '../constants';
 
@@ -60,6 +61,7 @@ const app = express();
 
 app.use(compression()); // Compress all routes
 // helps mitigate cross-site scripting attacks and other known vulnerabilities
+
 app.use(
   helmet({
     // override default contentSecurityPolicy directive like script-src to include cloudflare cdn and github static content
@@ -136,6 +138,18 @@ if (app.get('env') === 'production') {
 
 app.use(cookieParser());
 app.use(session(sess));
+// apply other headers to reponse
+app.use((_, res, next) => {
+  const customHeaders = Object.entries(EXPRESS_RESPONSE_HEADERS);
+  if (customHeaders.length > 0) {
+    customHeaders.forEach(([key, value]) => {
+      if (typeof value === 'string' && value !== '') {
+        res.header(key, value);
+      }
+    });
+  }
+  next();
+});
 
 class HttpException extends Error {
   public statusCode: number;

diff --git a/src/app/tests/index.test.ts b/src/app/tests/index.test.ts
@@ -120,7 +120,11 @@ describe('src/index.ts', () => {
       .expect(200)
       .expect((res) => {
         const csp = res.headers['content-security-policy'];
+        const reportTo = res.headers['report-to'];
         expect(csp).toContain(`default-src 'self';report-uri https://example.com;`);
+        expect(reportTo).toEqual(
+          '{ "group": "csp-endpoint", "max_age": 10886400, "endpoints": [{ "url": "https://example.com/csp-reports" }] }, { "group": "hpkp-endpoint", "max_age": 10886400, "endpoints": [{ "url": "https://example.com/hpkp-reports" }] }',
+        );
       })
       .expect('Do you mind\n')
       .catch((err: Error) => {

diff --git a/src/configs/__mocks__/envs.ts b/src/configs/__mocks__/envs.ts
@@ -67,4 +67,12 @@ export const EXPRESS_MAXIMUM_LOG_FILES_NUMBER = 5;
 export const EXPRESS_LOGS_FILE_PATH = './logs/default-error.log';
 
 export const EXPRESS_COMBINED_LOGS_FILE_PATH = './logs/default-error-and-info.log';
-export const EXPRESS_CONTENT_SECURITY_POLICY_CONFIG = { 'default-src': ["'self'"], reportUri: 'https://example.com' };
+export const EXPRESS_CONTENT_SECURITY_POLICY_CONFIG = {
+  'default-src': ["'self'"],
+  reportUri: 'https://example.com',
+};
+
+export const EXPRESS_RESPONSE_HEADERS = {
+  'Report-To':
+    '{ "group": "csp-endpoint", "max_age": 10886400, "endpoints": [{ "url": "https://example.com/csp-reports" }] }, { "group": "hpkp-endpoint", "max_age": 10886400, "endpoints": [{ "url": "https://example.com/hpkp-reports" }] }',
+};
diff --git a/src/configs/envs.ts b/src/configs/envs.ts
@@ -102,6 +102,7 @@ export type EXPRESS_COMBINED_LOGS_FILE_PATH = typeof EXPRESS_COMBINED_LOGS_FILE_
 const defaultCsp = JSON.stringify({
   'default-src': ['none'],
 });
+
 export const EXPRESS_CONTENT_SECURITY_POLICY_CONFIG = JSON.parse(
   process.env.EXPRESS_CONTENT_SECURITY_POLICY_CONFIG || defaultCsp,
 );
@@ -112,3 +113,6 @@ export const { EXPRESS_REDIS_STAND_ALONE_URL } = process.env;
 
 // see https://github.com/luin/ioredis#sentinel
 export const EXPRESS_REDIS_SENTINEL_CONFIG = JSON.parse(process.env.EXPRESS_REDIS_SENTINEL_CONFIG || '{}');
+
+export const EXPRESS_RESPONSE_HEADERS = JSON.parse(process.env.EXPRESS_RESPONSE_HEADERS || '{}');
+export type EXPRESS_RESPONSE_HEADERS = typeof EXPRESS_RESPONSE_HEADERS;