Skip to content

Commit

Permalink
Merge pull request #25 from onaio/override-default-csp
Browse files Browse the repository at this point in the history
  • Loading branch information
machariamuguku authored Mar 7, 2022
2 parents 733a224 + 29eeb72 commit 9a3384f
Show file tree
Hide file tree
Showing 3 changed files with 53 additions and 1 deletion.
23 changes: 22 additions & 1 deletion src/app/index.ts
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,7 @@ import {
EXPRESS_SESSION_SECRET,
} from '../configs/envs';
import { SESSION_IS_EXPIRED, TOKEN_NOT_FOUND, TOKEN_REFRESH_FAILED } from '../constants';
import { getOriginFromUrl } from '../utils';

type Dictionary = { [key: string]: unknown };

Expand All @@ -54,7 +55,27 @@ const sessionName = EXPRESS_SESSION_NAME;
const app = express();

app.use(compression()); // Compress all routes
app.use(helmet()); // protect against well known vulnerabilities
// helps mitigate cross-site scripting attacks and other known vulnerabilities
app.use(
helmet({
// override default contentSecurityPolicy directive like script-src to include cloudflare cdn and github static content
// might consider turning this off to allow individual front-ends set Content-Security-Policy on meta tags themselves if list grows long
// <meta http-equiv="Content-Security-Policy" content="default-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://cdnjs.cloudflare.com;" >
contentSecurityPolicy: {
directives: {
'script-src': ["'self'", 'https://cdnjs.cloudflare.com', "'unsafe-inline'"],
'img-src': ["'self'", 'https://github.com', 'https://*.githubusercontent.com'],
// allow connection from keycloak and opensrp server
'connect-src': [
"'self'",
...getOriginFromUrl(EXPRESS_OPENSRP_AUTHORIZATION_URL),
...getOriginFromUrl(EXPRESS_OPENSRP_USER_URL),
],
},
},
crossOriginEmbedderPolicy: false,
}),
);
app.use(morgan('combined', { stream: winstonStream })); // send logs to winston

const FileStore = sessionFileStore(session);
Expand Down
15 changes: 15 additions & 0 deletions src/utils/index.ts
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
/**
* get the url origin from full url
* e.g https://keycloak-example.domain.org from https://keycloak-example.domain.org/auth/realms/example-realm
* @param url
* @returns
*/
export const getOriginFromUrl = (url?: string) => {
if (!url) {
return [];
}
const urlObject = new URL(url);
return [urlObject.origin];
};

export default getOriginFromUrl;
16 changes: 16 additions & 0 deletions src/utils/tests/index.test.ts
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
import { getOriginFromUrl } from '../index';

describe('test util functions', () => {
it('get origin from url', () => {
const url = 'https://keycloak-example.domain.org/auth/realms/example-realm';
const result = getOriginFromUrl(url);
expect(result).toEqual(['https://keycloak-example.domain.org']);
});
it('returns empty array if url is empty or undefined', () => {
const emptyUrl = '';
const emptyUrlResult = getOriginFromUrl(emptyUrl);
const undefinedUrlResult = getOriginFromUrl();
expect(emptyUrlResult).toEqual([]);
expect(undefinedUrlResult).toEqual([]);
});
});

0 comments on commit 9a3384f

Please sign in to comment.