move CSP to nginx again

master
Aevann 2022-12-31 08:38:59 +02:00
parent 8362a4c497
commit 0c303b81a3
4 changed files with 14 additions and 59 deletions

View File

@ -58,56 +58,12 @@ def before_request():
g.nonce = secrets.token_urlsafe(31)
CSP = {
"upgrade-insecure-requests": "",
"default-src": "'none'",
"frame-ancestors": "'none'",
"form-action": "'self'",
"manifest-src": "'self'",
"worker-src": "'self'",
"base-uri": "'self'",
"font-src": "'self'",
"style-src-elem": "'self'",
"style-src-attr": "'unsafe-inline'",
"style-src": "'self' 'unsafe-inline'",
"script-src-elem": "'self' challenges.cloudflare.com",
"script-src-attr": "'none'",
"script-src": "'self' challenges.cloudflare.com",
"media-src": "https:",
"img-src": "https: data:",
"frame-src": "challenges.cloudflare.com www.youtube-nocookie.com platform.twitter.com",
"connect-src": "'self' tls-use1.fpapi.io api.fpjs.io",
"report-to": "csp",
"report-uri": "/csp_violations",
}
if IS_LOCALHOST:
CSP["media-src"] += " http:"
CSP["img-src"] += " http:"
CSP_str = ''
for k, val in CSP.items():
CSP_str += f'{k} {val}; '
@app.after_request
def after_request(response:Response):
if response.status_code < 400:
_set_cloudflare_cookie(response)
_commit_and_close_db()
response.headers.add("Report-To", {"group":"csp","max_age":10886400,"endpoints":[{"url":"/csp_violations"}]})
response.headers.add("Content-Security-Policy", CSP_str)
return response

View File

@ -2,3 +2,5 @@ add_header Referrer-Policy "same-origin";
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
add_header X-Frame-Options "deny";
add_header X-Content-Type-Options "nosniff";
add_header Report-To "{'group': 'csp', 'max_age': 10886400, 'endpoints': [{'url': '/csp_violations'}]}";
add_header Content-Security-Policy "upgrade-insecure-requests ; default-src 'none'; frame-ancestors 'none'; form-action 'self'; manifest-src 'self'; worker-src 'self'; base-uri 'self'; font-src 'self'; style-src-elem 'self'; style-src-attr 'unsafe-inline'; style-src 'self' 'unsafe-inline'; script-src-elem 'self' challenges.cloudflare.com; script-src-attr 'none'; script-src 'self' challenges.cloudflare.com; media-src 'self' https:; img-src 'self' https: data:; frame-src challenges.cloudflare.com www.youtube-nocookie.com platform.twitter.com; connect-src 'self' tls-use1.fpapi.io api.fpjs.io; report-to csp; report-uri /csp_violations;";

View File

@ -1,5 +1,4 @@
include includes/headers;
add_header Content-Security-Policy "default-src 'none'; report-uri /csp_violations;";
sendfile on;
sendfile_max_chunk 1m;
tcp_nopush on;

View File

@ -5,7 +5,6 @@ server {
listen [::]:80;
proxy_set_header Host $http_host;
include includes/headers;
add_header Content-Security-Policy "default-src 'none'; report-uri /csp_violations;";
location / {
proxy_pass http://localhost:5000/;
@ -19,12 +18,23 @@ server {
proxy_set_header Connection "Upgrade";
proxy_pass http://localhost:5001/socket.io;
include includes/headers;
add_header Content-Security-Policy "default-src 'none'; report-uri /csp_violations;";
}
location /chat {
proxy_pass http://localhost:5001/chat;
include includes/headers;
}
location =/offline.html {
alias /rDrama/files/assets/offline.html;
include includes/headers;
}
error_page 502 = /502.html;
location =/502.html {
alias /rDrama/files/templates/errors/rDrama/502.html;
include includes/headers;
add_header Cache-Control "no-store";
}
location /images/ {
alias /images/;
@ -76,16 +86,4 @@ server {
alias /rDrama/files/assets/images/rDrama/icon.webp;
include includes/serve-static;
}
location =/offline.html {
alias /rDrama/files/assets/offline.html;
add_header Content-Security-Policy "default-src 'none'; style-src 'unsafe-inline'; img-src data:; report-uri /csp_violations;";
}
error_page 502 = /502.html;
location =/502.html {
alias /rDrama/files/templates/errors/rDrama/502.html;
add_header Cache-Control "no-store";
add_header Content-Security-Policy "default-src 'none'; style-src 'self'; font-src 'self'; img-src 'self'; report-uri /csp_violations;";
}
}