Make csp directive policy configurable via env (#29)

.env.sample

@@ -31,3 +31,6 @@ EXPRESS_KEYCLOAK_LOGOUT_URL=https://keycloak-stage.smartregister.org/auth/realms
 EXPRESS_MAXIMUM_LOGS_FILE_SIZE=5242880 # 5MB
 EXPRESS_MAXIMUM_LOG_FILES_NUMBER=5
 EXPRESS_LOGS_FILE_PATH='/home/.express/reveal-express-server.log
+
+# https://github.com/helmetjs/helmet#reference
+EXPRESS_CONTENT_SECURITY_POLICY_CONFIG=`{"default-src":["'self'"]}`

src/app/index.ts

@@ -34,9 +34,9 @@ import {
   EXPRESS_SESSION_NAME,
   EXPRESS_SESSION_PATH,
   EXPRESS_SESSION_SECRET,
+  EXPRESS_CONTENT_SECURITY_POLICY_CONFIG,
 } from '../configs/envs';
 import { SESSION_IS_EXPIRED, TOKEN_NOT_FOUND, TOKEN_REFRESH_FAILED } from '../constants';
-import { getOriginFromUrl } from '../utils';
 
 type Dictionary = { [key: string]: unknown };
 
@@ -62,16 +62,7 @@ app.use(
     // might consider turning this off to allow individual front-ends set Content-Security-Policy on meta tags themselves if list grows long
     // <meta http-equiv="Content-Security-Policy" content="default-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'  https://cdnjs.cloudflare.com;" >
     contentSecurityPolicy: {
-      directives: {
-        'script-src': ["'self'", 'https://cdnjs.cloudflare.com', "'unsafe-inline'"],
-        'img-src': ["'self'", 'https://github.com', 'https://*.githubusercontent.com'],
-        // allow connection from keycloak and opensrp server
-        'connect-src': [
-          "'self'",
-          ...getOriginFromUrl(EXPRESS_OPENSRP_AUTHORIZATION_URL),
-          ...getOriginFromUrl(EXPRESS_OPENSRP_USER_URL),
-        ],
-      },
+      directives: EXPRESS_CONTENT_SECURITY_POLICY_CONFIG,
     },
     crossOriginEmbedderPolicy: false,
   }),

src/app/tests/index.errors.test.ts

@@ -4,6 +4,8 @@ import app from '../index';
 
 const oauthCallbackUri = '/oauth/callback/OpenSRP/?code=Boi4Wz&state=openssh';
 
+jest.mock('../../configs/envs');
+
 const panic = (err: Error, done: jest.DoneCallback): void => {
   // eslint-disable-next-line @typescript-eslint/no-unnecessary-condition
   if (err) {

src/app/tests/index.test.ts

@@ -123,6 +123,10 @@ describe('src/index.ts', () => {
     request(app)
       .get('/')
       .expect(200)
+      .expect((res) => {
+        const csp = res.headers['content-security-policy'];
+        expect(csp).toContain(`default-src 'self';report-uri https://example.com;`);
+      })
       .expect('Do you mind\n')
       .catch((err: Error) => {
         throw err;

src/configs/__mocks__/envs.ts

@@ -67,3 +67,4 @@ export const EXPRESS_MAXIMUM_LOG_FILES_NUMBER = 5;
 export const EXPRESS_LOGS_FILE_PATH = './logs/default-error.log';
 
 export const EXPRESS_COMBINED_LOGS_FILE_PATH = './logs/default-error-and-info.log';
+export const EXPRESS_CONTENT_SECURITY_POLICY_CONFIG = { 'default-src': ["'self'"], reportUri: 'https://example.com' };

src/configs/envs.ts

@@ -98,3 +98,11 @@ export type EXPRESS_LOGS_FILE_PATH = typeof EXPRESS_LOGS_FILE_PATH;
 export const EXPRESS_COMBINED_LOGS_FILE_PATH =
   process.env.EXPRESS_COMBINED_LOGS_FILE_PATH || './logs/default-error-and-info.log';
 export type EXPRESS_COMBINED_LOGS_FILE_PATH = typeof EXPRESS_COMBINED_LOGS_FILE_PATH;
+
+const defaultCsp = JSON.stringify({
+  'default-src': ['none'],
+});
+export const EXPRESS_CONTENT_SECURITY_POLICY_CONFIG = JSON.parse(
+  process.env.EXPRESS_CONTENT_SECURITY_POLICY_CONFIG || defaultCsp,
+);
+export type EXPRESS_CONTENT_SECURITY_POLICY_CONFIG = typeof EXPRESS_CONTENT_SECURITY_POLICY_CONFIG;