Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: add csp header configuration for review #103

Open
wants to merge 3 commits into
base: master
Choose a base branch
from

Conversation

saurabh2590
Copy link
Contributor

@saurabh2590 saurabh2590 commented Jun 17, 2024

Description

  • Adding CSP Headers configuration for bettermarks proxied domains.

Links to Tickets or other pull requests

OPS-6579

Changes

Datasecurity

Deployment

New Repos, NPM pakages or vendor scripts

Screenshots of UI changes

Approval for review

  • All points were discussed with the ticket creator, support-team or product owner. The code upholds all quality guidelines from the PR-template.

Notice: Please remove the WIP label if the PR is ready to review, otherwise nobody will review it.

proxy_hide_header 'Content-Security-Policy';
proxy_hide_header 'Content-Security-Policy-Report-Only';
# We don't know how to add root domain.
add_header 'Content-Security-Policy-Report-Only' "default-src 'self' 'unsafe-eval' 'unsafe-inline' *.{{ bettermarks_proxy_maindomain }} {{ root_domain }}; report-uri https://{{ bettermarks_proxy_subdomains['csp'] }}.{{ bettermarks_proxy_maindomain }}/csp/report-only";
Copy link
Contributor Author

@saurabh2590 saurabh2590 Jun 17, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Intent:
Here, we want to add the following config:
This is an example of Brandenburg should be similar to Niedersachsen, too.
Staging:

add_header 'Content-Security-Policy-Report-Only' "default-src 'self' 'unsafe-eval' 'unsafe-inline' *.bettermarks.staging.brandenburg.dbildungscloud.org *.staging.brandenburg.dbildungscloud.org; report-uri https://csp-report.bettermarks.staging.brandenburg.dbildungscloud.org/csp/report-only";

Production:

add_header 'Content-Security-Policy-Report-Only' "default-src 'self' 'unsafe-eval' 'unsafe-inline' *.bettermarks.brandenburg.cloud *.brandenburg.cloud; report-uri https://csp-report.brandenburg.cloud/csp/report-only";

@saurabh2590 saurabh2590 force-pushed the BM-61918/adapt-csp-headers-proxying branch from 4970682 to e9e3809 Compare June 17, 2024 11:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant