Merge pull request #25 from onaio/override-default-csp

onaio · Mar 7, 2022 · 9a3384f · 9a3384f
2 parents 733a224 + 29eeb72
commit 9a3384f
Show file tree

Hide file tree

Showing 3 changed files with 53 additions and 1 deletion.
diff --git a/src/app/index.ts b/src/app/index.ts
@@ -36,6 +36,7 @@ import {
   EXPRESS_SESSION_SECRET,
 } from '../configs/envs';
 import { SESSION_IS_EXPIRED, TOKEN_NOT_FOUND, TOKEN_REFRESH_FAILED } from '../constants';
+import { getOriginFromUrl } from '../utils';
 
 type Dictionary = { [key: string]: unknown };
 
@@ -54,7 +55,27 @@ const sessionName = EXPRESS_SESSION_NAME;
 const app = express();
 
 app.use(compression()); // Compress all routes
-app.use(helmet()); // protect against well known vulnerabilities
+// helps mitigate cross-site scripting attacks and other known vulnerabilities
+app.use(
+  helmet({
+    // override default contentSecurityPolicy directive like script-src to include cloudflare cdn and github static content
+    // might consider turning this off to allow individual front-ends set Content-Security-Policy on meta tags themselves if list grows long
+    // <meta http-equiv="Content-Security-Policy" content="default-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'  https://cdnjs.cloudflare.com;" >
+    contentSecurityPolicy: {
+      directives: {
+        'script-src': ["'self'", 'https://cdnjs.cloudflare.com', "'unsafe-inline'"],
+        'img-src': ["'self'", 'https://github.com', 'https://*.githubusercontent.com'],
+        // allow connection from keycloak and opensrp server
+        'connect-src': [
+          "'self'",
+          ...getOriginFromUrl(EXPRESS_OPENSRP_AUTHORIZATION_URL),
+          ...getOriginFromUrl(EXPRESS_OPENSRP_USER_URL),
+        ],
+      },
+    },
+    crossOriginEmbedderPolicy: false,
+  }),
+);
 app.use(morgan('combined', { stream: winstonStream })); // send logs to winston
 
 const FileStore = sessionFileStore(session);

diff --git a/src/utils/index.ts b/src/utils/index.ts
@@ -0,0 +1,15 @@
+/**
+ * get the url origin from full url
+ * e.g https://keycloak-example.domain.org from https://keycloak-example.domain.org/auth/realms/example-realm
+ * @param url
+ * @returns
+ */
+export const getOriginFromUrl = (url?: string) => {
+  if (!url) {
+    return [];
+  }
+  const urlObject = new URL(url);
+  return [urlObject.origin];
+};
+
+export default getOriginFromUrl;
diff --git a/src/utils/tests/index.test.ts b/src/utils/tests/index.test.ts
@@ -0,0 +1,16 @@
+import { getOriginFromUrl } from '../index';
+
+describe('test util functions', () => {
+  it('get origin from url', () => {
+    const url = 'https://keycloak-example.domain.org/auth/realms/example-realm';
+    const result = getOriginFromUrl(url);
+    expect(result).toEqual(['https://keycloak-example.domain.org']);
+  });
+  it('returns empty array if url is empty or undefined', () => {
+    const emptyUrl = '';
+    const emptyUrlResult = getOriginFromUrl(emptyUrl);
+    const undefinedUrlResult = getOriginFromUrl();
+    expect(emptyUrlResult).toEqual([]);
+    expect(undefinedUrlResult).toEqual([]);
+  });
+});