harden web security #273

abhinavkgrd · 2022-01-04T07:29:33Z

Description

Moved headers from Next config to _headers because static exported files don't retain the headers [1]
added security headers suggested by observatory with some caveats
style-src unsafe-inline allowed [2][3]
script-src unsafe-eval allowed [4][5]
use ente domain URLs for workers
added connect-src https://ente-prod-eu.s3.eu-central-003.backblazeb2.com

[1] https://nextjs.org/docs/advanced-features/static-html-export#unsupported-features
[2] vercel/next.js#18557
[3] styled-components/styled-components#2363
[4] WebAssembly/content-security-policy#7
[5] strukturag/libheif#173

Test Plan

Observatory shows that the intended directives have been activated:
https://observatory.mozilla.org/analyze/web-security.bada-frame.pages.dev

no good solution to implement nonce and hash exists current styled-components/styled-components#2363 vercel/next.js#18557 (comment)

…ains

abhinavkgrd added 30 commits December 1, 2021 00:28

adds next-secure-headers

ce22b0f

added clouflare headers config file

ec699c1

test

45911eb

update csp to report only and add report URI

bfd8695

fix csp self value , by adding quotes

d297b82

changed object src to none

4580470

move csp to meta tag in document to add inline script hash

366a283

add Referrer-Policy header

87f3f7a

remove headers as its not passed to exported app

e023474

better formatted csp

d51335b

add mode block to xss protection

d88e64b

make content security active

25ef3a8

added unsafe inline as fallback to hash for script-src

14094d1

move all directive except script-src to header

4b03205

add missing report to and reporturi to

a8ad8b2

remove script hash

e5b9ad7

fix report-uri

e7bed74

test

7969d20

add unsafe inline to style-src

59b3745

no good solution to implement nonce and hash exists current styled-components/styled-components#2363 vercel/next.js#18557 (comment)

add back next-secure-header for local use

8ce1ae7

added testing headers

5854a94

add data: protocol for connect-src and remove require trusted for script

5931bf8

activate content scurity policy

949dd07

add unsafe eval to allow heif.js new Function() call

5df9212

add sub-resource integrity

e2e47d7

add html webpack plugin

28dd87b

run only for non server webpack

82a15ef

dont need HtmlWebpackPlugin and force enable SubresourceIntegrityPlugin

f9c91cd

remove unneccesary changes

0613209

remove unneccasry packages

20d6574

abhinavkgrd added 10 commits December 3, 2021 20:20

cleanup

7df09a1

add suggested observatory header

7b739ae

update to use ente domain url for workes instead of worker.dev cf dom…

6e62f31

…ains

update csp report URL

52f0ac0

fix sentry tunnel URL

9acb767

allow blob foir connect-src

9c0f123

allow blob for script src

09e4f89

add b2 upload URL domain to connect-src

db3820a

fix b2 domain for connect-src

b789e62

change csp to report only for deployment

72ed18f

abhinavkgrd changed the title ~~Web security~~ harden web security Jan 4, 2022

vishnukvmd self-requested a review January 4, 2022 07:30

vishnukvmd approved these changes Jan 4, 2022

View reviewed changes

abhinavkgrd merged commit 1d0aa42 into master Jan 4, 2022

abhinavkgrd deleted the web-security-clean branch January 16, 2022 11:25

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

harden web security #273

harden web security #273

abhinavkgrd commented Jan 4, 2022

harden web security #273

harden web security #273

Conversation

abhinavkgrd commented Jan 4, 2022

Description

Test Plan