Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: security headers for apps #65

Merged
merged 24 commits into from
Jul 25, 2024
Merged

feat: security headers for apps #65

merged 24 commits into from
Jul 25, 2024

Conversation

mohandast52
Copy link
Collaborator

@mohandast52 mohandast52 commented Jul 17, 2024
edited
Loading

Proposed changes

  • Extracted middleware to a common library for managing security headers and country-based blocking, applied across all apps (every app should load & registry app should work exactly the same as before).
  • Also, any issues with the Bond and Tokenomics apps will be addressed during the final migration, which is scheduled for the coming weeks.
  • Apps security headers & blocking applied:
    • Registry
    • Bond
    • Tokenomics
    • Govern
    • Launch

NOTE: Please let me know if any issues arise.

  • Here's why avoiding 'unsafe-inline' for styles is okay: Scott Helme's explanation. While challenging to remove, can be fixed through strict CSP settings. Let me know your thoughts - struggled removing it entirely; it's not as straightforward as it appears 🥲

Reports (for registry app)

Types of changes

What types of changes does your code introduce?
Put an x in the boxes that apply

  • Bugfix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)

@mohandast52 mohandast52 added the enhancement New feature or request label Jul 17, 2024
@mohandast52 mohandast52 self-assigned this Jul 17, 2024
@vercel Vercel
Copy link

vercel bot commented Jul 17, 2024
edited
Loading

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Comments Updated (UTC)
bond ✅ Ready (Inspect) Visit Preview 1 resolved Jul 24, 2024 6:59pm
govern ✅ Ready (Inspect) Visit Preview 💬 Add feedback Jul 24, 2024 6:59pm
launch ✅ Ready (Inspect) Visit Preview 💬 Add feedback Jul 24, 2024 6:59pm
registry ✅ Ready (Inspect) Visit Preview 1 resolved Jul 24, 2024 6:59pm
tokenomics ✅ Ready (Inspect) Visit Preview 💬 Add feedback Jul 24, 2024 6:59pm

@vercel vercel bot temporarily deployed to Preview – tokenomics July 18, 2024 13:06 Inactive
@vercel vercel bot temporarily deployed to Preview – bond July 18, 2024 13:06 Inactive
@vercel vercel bot temporarily deployed to Preview – launch July 18, 2024 13:06 Inactive
@vercel vercel bot temporarily deployed to Preview – govern July 18, 2024 13:06 Inactive
@vercel vercel bot temporarily deployed to Preview – govern July 18, 2024 13:14 Inactive
@vercel vercel bot temporarily deployed to Preview – bond July 18, 2024 13:14 Inactive
@vercel vercel bot temporarily deployed to Preview – tokenomics July 18, 2024 13:14 Inactive
@vercel vercel bot temporarily deployed to Preview – launch July 18, 2024 13:15 Inactive
@vercel vercel bot temporarily deployed to Preview – bond July 18, 2024 14:01 Inactive
@oaksprout
Copy link
Collaborator

  • Bond – 1 comment on Vercel about a CORS issue on Bonding Products – not sure how relevant
  • Tokenomics – appears fine, though I couldn't properly testing Bonding Products and My Bonds
  • Launch – no issues
  • Govern – no issues
  • Registry – 1 CORS issue, reported via Vercel

@mohandast52
Copy link
Collaborator Author

@oaksprout
for registry - I checked some of the agents and components and listed a few links for images as part of the CSP. In the short term, we need to add those URLs in our middleware. For the long term, we should restrict users from entering any random URL and maybe provide a dropdown of allowed URLs.

for bonds - we can avoid that as of now

@oaksprout
Copy link
Collaborator

oaksprout commented Jul 24, 2024 via email
edited
Loading

@mohandast52
Copy link
Collaborator Author

mohandast52 commented Jul 24, 2024
edited
Loading

under the NFT
image field, saying which domains are supported

@oaksprout is this good?

Screenshot

@mohandast52 mohandast52 merged commit 37375b3 into main Jul 25, 2024
11 checks passed
@mohandast52 mohandast52 deleted the mohan/security-header branch July 25, 2024 08:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@oaksprout oaksprout oaksprout approved these changes

@truemiller truemiller truemiller approved these changes

@Tanya-atatakai Tanya-atatakai Tanya-atatakai approved these changes

Assignees

@mohandast52 mohandast52

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@mohandast52 @truemiller @oaksprout @Tanya-atatakai