forked from MarseyWorld/MarseyWorld
move CSP to nginx again
parent
8362a4c497
commit
0c303b81a3
|
@ -58,56 +58,12 @@ def before_request():
|
||||||
|
|
||||||
g.nonce = secrets.token_urlsafe(31)
|
g.nonce = secrets.token_urlsafe(31)
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
CSP = {
|
|
||||||
"upgrade-insecure-requests": "",
|
|
||||||
|
|
||||||
"default-src": "'none'",
|
|
||||||
"frame-ancestors": "'none'",
|
|
||||||
|
|
||||||
"form-action": "'self'",
|
|
||||||
"manifest-src": "'self'",
|
|
||||||
"worker-src": "'self'",
|
|
||||||
"base-uri": "'self'",
|
|
||||||
"font-src": "'self'",
|
|
||||||
|
|
||||||
"style-src-elem": "'self'",
|
|
||||||
"style-src-attr": "'unsafe-inline'",
|
|
||||||
"style-src": "'self' 'unsafe-inline'",
|
|
||||||
|
|
||||||
"script-src-elem": "'self' challenges.cloudflare.com",
|
|
||||||
"script-src-attr": "'none'",
|
|
||||||
"script-src": "'self' challenges.cloudflare.com",
|
|
||||||
|
|
||||||
"media-src": "https:",
|
|
||||||
"img-src": "https: data:",
|
|
||||||
|
|
||||||
"frame-src": "challenges.cloudflare.com www.youtube-nocookie.com platform.twitter.com",
|
|
||||||
"connect-src": "'self' tls-use1.fpapi.io api.fpjs.io",
|
|
||||||
|
|
||||||
"report-to": "csp",
|
|
||||||
"report-uri": "/csp_violations",
|
|
||||||
}
|
|
||||||
|
|
||||||
if IS_LOCALHOST:
|
|
||||||
CSP["media-src"] += " http:"
|
|
||||||
CSP["img-src"] += " http:"
|
|
||||||
|
|
||||||
CSP_str = ''
|
|
||||||
|
|
||||||
for k, val in CSP.items():
|
|
||||||
CSP_str += f'{k} {val}; '
|
|
||||||
|
|
||||||
@app.after_request
|
@app.after_request
|
||||||
def after_request(response:Response):
|
def after_request(response:Response):
|
||||||
if response.status_code < 400:
|
if response.status_code < 400:
|
||||||
_set_cloudflare_cookie(response)
|
_set_cloudflare_cookie(response)
|
||||||
_commit_and_close_db()
|
_commit_and_close_db()
|
||||||
|
|
||||||
response.headers.add("Report-To", {"group":"csp","max_age":10886400,"endpoints":[{"url":"/csp_violations"}]})
|
|
||||||
response.headers.add("Content-Security-Policy", CSP_str)
|
|
||||||
|
|
||||||
return response
|
return response
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -2,3 +2,5 @@ add_header Referrer-Policy "same-origin";
|
||||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
|
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
|
||||||
add_header X-Frame-Options "deny";
|
add_header X-Frame-Options "deny";
|
||||||
add_header X-Content-Type-Options "nosniff";
|
add_header X-Content-Type-Options "nosniff";
|
||||||
|
add_header Report-To "{'group': 'csp', 'max_age': 10886400, 'endpoints': [{'url': '/csp_violations'}]}";
|
||||||
|
add_header Content-Security-Policy "upgrade-insecure-requests ; default-src 'none'; frame-ancestors 'none'; form-action 'self'; manifest-src 'self'; worker-src 'self'; base-uri 'self'; font-src 'self'; style-src-elem 'self'; style-src-attr 'unsafe-inline'; style-src 'self' 'unsafe-inline'; script-src-elem 'self' challenges.cloudflare.com; script-src-attr 'none'; script-src 'self' challenges.cloudflare.com; media-src 'self' https:; img-src 'self' https: data:; frame-src challenges.cloudflare.com www.youtube-nocookie.com platform.twitter.com; connect-src 'self' tls-use1.fpapi.io api.fpjs.io; report-to csp; report-uri /csp_violations;";
|
||||||
|
|
|
@ -1,5 +1,4 @@
|
||||||
include includes/headers;
|
include includes/headers;
|
||||||
add_header Content-Security-Policy "default-src 'none'; report-uri /csp_violations;";
|
|
||||||
sendfile on;
|
sendfile on;
|
||||||
sendfile_max_chunk 1m;
|
sendfile_max_chunk 1m;
|
||||||
tcp_nopush on;
|
tcp_nopush on;
|
||||||
|
|
26
nginx.conf
26
nginx.conf
|
@ -5,7 +5,6 @@ server {
|
||||||
listen [::]:80;
|
listen [::]:80;
|
||||||
proxy_set_header Host $http_host;
|
proxy_set_header Host $http_host;
|
||||||
include includes/headers;
|
include includes/headers;
|
||||||
add_header Content-Security-Policy "default-src 'none'; report-uri /csp_violations;";
|
|
||||||
|
|
||||||
location / {
|
location / {
|
||||||
proxy_pass http://localhost:5000/;
|
proxy_pass http://localhost:5000/;
|
||||||
|
@ -19,12 +18,23 @@ server {
|
||||||
proxy_set_header Connection "Upgrade";
|
proxy_set_header Connection "Upgrade";
|
||||||
proxy_pass http://localhost:5001/socket.io;
|
proxy_pass http://localhost:5001/socket.io;
|
||||||
include includes/headers;
|
include includes/headers;
|
||||||
add_header Content-Security-Policy "default-src 'none'; report-uri /csp_violations;";
|
|
||||||
}
|
}
|
||||||
location /chat {
|
location /chat {
|
||||||
proxy_pass http://localhost:5001/chat;
|
proxy_pass http://localhost:5001/chat;
|
||||||
include includes/headers;
|
include includes/headers;
|
||||||
}
|
}
|
||||||
|
location =/offline.html {
|
||||||
|
alias /rDrama/files/assets/offline.html;
|
||||||
|
include includes/headers;
|
||||||
|
}
|
||||||
|
error_page 502 = /502.html;
|
||||||
|
location =/502.html {
|
||||||
|
alias /rDrama/files/templates/errors/rDrama/502.html;
|
||||||
|
include includes/headers;
|
||||||
|
add_header Cache-Control "no-store";
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
location /images/ {
|
location /images/ {
|
||||||
alias /images/;
|
alias /images/;
|
||||||
|
@ -76,16 +86,4 @@ server {
|
||||||
alias /rDrama/files/assets/images/rDrama/icon.webp;
|
alias /rDrama/files/assets/images/rDrama/icon.webp;
|
||||||
include includes/serve-static;
|
include includes/serve-static;
|
||||||
}
|
}
|
||||||
location =/offline.html {
|
|
||||||
alias /rDrama/files/assets/offline.html;
|
|
||||||
add_header Content-Security-Policy "default-src 'none'; style-src 'unsafe-inline'; img-src data:; report-uri /csp_violations;";
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
error_page 502 = /502.html;
|
|
||||||
location =/502.html {
|
|
||||||
alias /rDrama/files/templates/errors/rDrama/502.html;
|
|
||||||
add_header Cache-Control "no-store";
|
|
||||||
add_header Content-Security-Policy "default-src 'none'; style-src 'self'; font-src 'self'; img-src 'self'; report-uri /csp_violations;";
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue