FFT-71 Enable csp headers for logging into sentry

uktrade · Oct 4, 2024 · 922f21a · 922f21a
1 parent 6810284
commit 922f21a
Show file tree

Hide file tree

Showing 5 changed files with 41 additions and 2 deletions.
diff --git a/.env.ci b/.env.ci
@@ -8,4 +8,5 @@ AUTHBROKER_CLIENT_ID=
 AUTHBROKER_CLIENT_SECRET=
 AUTHBROKER_URL=
 SENTRY_ENVIRONMENT=ci
-SENTRY_DSN=
+SENTRY_DSN=
+CSP_REPORT_URI=" "
diff --git a/.env.example b/.env.example
@@ -26,6 +26,9 @@ SENTRY_ENVIRONMENT=
 SENTRY_KEY=
 SENTRY_PROJECT=
 
+# CSP headers
+CSP_REPORT_URI=
+
 # Vite
 VITE_DEV=True
 

diff --git a/config/settings/base.py b/config/settings/base.py
@@ -281,6 +281,7 @@ def FILTERS_VERBOSE_LOOKUPS():
     "core.no_cache_middleware.NoCacheMiddleware",
     "simple_history.middleware.HistoryRequestMiddleware",
     "axes.middleware.AxesMiddleware",
+    "csp.middleware.CSPMiddleware",
 ]
 
 AUTHENTICATION_BACKENDS = [
@@ -409,3 +410,18 @@ def FILTERS_VERBOSE_LOOKUPS():
         traces_sample_rate=env.float("SENTRY_TRACES_SAMPLE_RATE", 0.0),
         send_default_pii=True,
     )
+
+
+# Content Security Policy header settings
+CSP_DEFAULT_SRC = ("'none'",)
+CSP_SCRIPT_SRC = ("'none'",)
+CSP_SCRIPT_SRC_ATTR = ("'none'",)
+CSP_SCRIPT_SRC_ELEM = ("'none'",)
+CSP_IMG_SRC = ("'none'",)
+CSP_MEDIA_SRC = ("'none'",)
+CSP_FRAME_SRC = ("'none'",)
+CSP_FONT_SRC = ("'none'",)
+CSP_CONNECT_SRC = ("'none'",)
+
+CSP_REPORT_ONLY = True
+CSP_REPORT_URI = env("CSP_REPORT_URI", default=None)
diff --git a/poetry.lock b/poetry.lock
diff --git a/pyproject.toml b/pyproject.toml
@@ -44,6 +44,7 @@ redis = "^5.0.3"
 django-import-export = "^3.3.07"
 dbt-copilot-python = "^0.2.1"
 django-log-formatter-asim = "^0.0.4"
+django-csp = "^3.8"
 
 [tool.poetry.group.prod]
 optional = true