Merge pull request #276 from equinor/feat/add-security-headers

✨ add security headers
equinor · Sep 11, 2023 · e50abe7 · e50abe7
2 parents 9524fac + de09a73
commit e50abe7
Show file tree

Hide file tree

Showing 9 changed files with 30 additions and 3 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -26,7 +26,8 @@ USER 0
 # Clear default nginx html file
 RUN rm -rf /usr/share/nginx/html/*
 COPY --from=builder /app/storybook-static /usr/share/nginx/html
-COPY nginx.conf /etc/nginx/conf.d/default.conf.template
+COPY proxy/nginx.conf /etc/nginx/conf.d/default.conf
+COPY proxy/securityheaders.conf /etc/nginx/securityheaders.conf
 
 WORKDIR /usr/share/nginx/html
 USER 101

diff --git a/config/config_files/Dockerfile b/config/config_files/Dockerfile
@@ -22,6 +22,7 @@ USER 0
 RUN rm -rf /usr/share/nginx/html/*
 COPY --from=base /app/dist /usr/share/nginx/html
 COPY proxy/nginx.conf /etc/nginx/conf.d/default.conf.template
+COPY proxy/securityheaders.conf /etc/nginx/conf.d/securityheaders.conf.template
 
 EXPOSE 5001
 ENV APPSETTING_ENV=local

diff --git a/config/config_files/client.yaml b/config/config_files/client.yaml
@@ -135,6 +135,10 @@ jobs:
         working-directory: client/proxy
         run: diff nginx.conf <(curl https://raw.githubusercontent.com/equinor/amplify-components/main/config/config_files/nginx.conf)
 
+      - name: Compare remote proxy/nginx.conf to local
+        working-directory: client/proxy
+        run: diff securityheaders.conf <(curl https://raw.githubusercontent.com/equinor/amplify-components/main/config/config_files/securityheaders.conf)
+
       - name: Compare remote src/setupLocalhost.mjs to local
         working-directory: client/src
         run: diff setupLocalhost.mjs <(curl https://raw.githubusercontent.com/equinor/amplify-components/main/config/config_files/setupLocalhost.mjs)

diff --git a/config/config_files/env.sh b/config/config_files/env.sh
@@ -26,5 +26,6 @@ echo "  PORTAL_PROD_CLIENT_ID: \"$value\"," >>./env-config.js
 
 echo "}" >>./env-config.js
 
-# Update nginx.conf with relevant environment variables
+# Update nginx.conf and securityheaders.conf with relevant environment variables
 envsubst '${API_URL}' </etc/nginx/conf.d/default.conf.template >/etc/nginx/conf.d/default.conf
+envsubst '${API_URL}' </etc/nginx/conf.d/securityheaders.conf.template >/etc/nginx/conf.d/securityheaders.conf
diff --git a/config/config_files/nginx.conf b/config/config_files/nginx.conf
@@ -4,6 +4,8 @@ server {
 
     root   /usr/share/nginx/html;
 
+    include /etc/nginx/securityheaders.conf;
+
     location /api/ {
         client_max_body_size 100M;
         proxy_pass ${API_URL};

diff --git a/config/config_files/securityheaders.conf b/config/config_files/securityheaders.conf
@@ -0,0 +1,7 @@
+      add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+      add_header X-Frame-Options "SAMEORIGIN";
+      add_header X-Content-Type-Options nosniff;
+      add_header Referrer-Policy "same-origin";
+      add_header Permissions-Policy "fullscreen=(self), microphone=(), camera=(), autoplay=(), encrypted-media=(), geolocation=(), payment=(), usb=(), magnetometer=(), gyroscope=(), payment=()";
+      add_header Content-Security-Policy "default-src 'self'; frame-src 'self' https://login.microsoftonline.com; frame-ancestors 'self' https://login.microsoftonline.com; img-src 'self' https://*.equinor.com https://raw.githubusercontent.com data:; script-src 'self'; style-src 'self' 'unsafe-inline' https://cdn.eds.equinor.com; font-src 'self' https://cdn.eds.equinor.com; media-src 'none'; connect-src https://login.microsoftonline.com ${API_URL} https://graph.microsoft.com; block-all-mixed-content;";
+      add_header X-XSS-Protection "1; mode=block";
diff --git a/config/install.sh b/config/install.sh
@@ -39,6 +39,8 @@ cd ./proxy || (mkdir proxy && cd ./proxy || return)
 
 curl -s "https://raw.githubusercontent.com/equinor/amplify-components/main/config/config_files/nginx.conf" > nginx.conf
 
+curl -s "https://raw.githubusercontent.com/equinor/amplify-components/main/config/config_files/securityheaders.conf" > securityheaders.conf
+
 cd ../..
 
 printf -- "Downloading client github action...\n"

diff --git a/nginx.conf → proxy/nginx.conf b/nginx.conf → proxy/nginx.conf
@@ -5,9 +5,11 @@ server {
 
     root   /usr/share/nginx/html;
 
+    include /etc/nginx/securityheaders.conf;
+
     location / {
         index  index.html index.htm;
-        try_files $uri /index.html;                 
+        try_files $uri /index.html;
     }
 
     location ~ \.html$ {

diff --git a/proxy/securityheaders.conf b/proxy/securityheaders.conf
@@ -0,0 +1,7 @@
+      add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+      add_header X-Frame-Options "SAMEORIGIN";
+      add_header X-Content-Type-Options nosniff;
+      add_header Referrer-Policy "same-origin";
+      add_header Permissions-Policy "fullscreen=(self), microphone=(), camera=(), autoplay=(), encrypted-media=(), geolocation=(), payment=(), usb=(), magnetometer=(), gyroscope=(), payment=()";
+      add_header Content-Security-Policy "default-src 'self'; frame-src 'self'; frame-ancestors 'self'; img-src 'self' https://raw.githubusercontent.com https://img.shields.io/npm/v/@equinor/amplify-components data:; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' https://cdn.eds.equinor.com; font-src 'self' https://cdn.eds.equinor.com; media-src 'none'; connect-src 'self'; block-all-mixed-content;";
+      add_header X-XSS-Protection "1; mode=block";