Skip to content

Enable "enforce" CSP for dev deployments #956

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
labkey-tchad merged 2 commits into from
Dec 20, 2024
Merged

Enable "enforce" CSP for dev deployments #956

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
53b0ee1
Enable "enforce" CSP for dev deployments
labkey-tchad Dec 19, 2024
c03b7e8
Update comments
labkey-tchad Dec 19, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
45 changes: 14 additions & 31 deletions server/configs/application.properties
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -128,37 +128,20 @@ management.server.port=@@shutdownPort@@
## Define one or both of 'csp.report' and 'csp.enforce' to enable Content Security Policy (CSP) headers
## Do not use these examples for any production environment without understanding the meaning of each directive!

## example usage 1 - very strict, disallows 'external' websites, disallows unsafe-inline, but only reports violations (does not enforce)

#csp.report=\
# default-src 'self';\
# connect-src 'self' ${LABKEY.ALLOWED.CONNECTIONS} ;\
# object-src 'none' ;\
# style-src 'self' 'unsafe-inline' ;\
# img-src 'self' data: ;\
# font-src 'self' data: ;\
# script-src 'unsafe-eval' 'strict-dynamic' 'nonce-${REQUEST.SCRIPT.NONCE}';\
# base-uri 'self' ;\
# upgrade-insecure-requests ;\
# frame-ancestors 'self' ;\
# report-uri https://www.labkey.org/admin-contentsecuritypolicyreport.api?${CSP.REPORT.PARAMS} ;

## example usage 2 - less strict but enforces directives, (NOTE: unsafe-inline is still required for many modules)

#csp.enforce=\
# default-src 'self' https: ;\
# connect-src 'self' https: ${LABKEY.ALLOWED.CONNECTIONS};\
# object-src 'none' ;\
# style-src 'self' https: 'unsafe-inline' ;\
# img-src 'self' data: ;\
# font-src 'self' data: ;\
# script-src 'unsafe-inline' 'unsafe-eval' 'strict-dynamic' 'nonce-${REQUEST.SCRIPT.NONCE}';\
# base-uri 'self' ;\
# upgrade-insecure-requests ;\
# frame-ancestors 'self' ;\
# report-uri https://www.labkey.org/admin-contentsecuritypolicyreport.api?${CSP.REPORT.PARAMS} ;

## Default CSP for TeamCity and dev deployments
## Default enforce CSP for dev deployments
#useLocalBuild#csp.enforce=\
#useLocalBuild# default-src 'self' https: http: ;\
#useLocalBuild# connect-src 'self' localhost:* ws: ${LABKEY.ALLOWED.CONNECTIONS} ;\
#useLocalBuild# object-src 'none' ;\
#useLocalBuild# style-src 'self' https: 'unsafe-inline' ;\
#useLocalBuild# img-src 'self' https: data: ;\
#useLocalBuild# font-src 'self' http: https: data: ;\
#useLocalBuild# script-src 'unsafe-eval' 'strict-dynamic' 'nonce-${REQUEST.SCRIPT.NONCE}' ;\
#useLocalBuild# base-uri 'self' ;\
#useLocalBuild# frame-ancestors 'self' ;\
#useLocalBuild# report-uri /admin-contentsecuritypolicyreport.api?${CSP.REPORT.PARAMS} ;

## Default report CSP for TeamCity and dev deployments
csp.report=\
default-src 'self' https: http: ;\
connect-src 'self' localhost:* ws: ${LABKEY.ALLOWED.CONNECTIONS} ;\
Expand Down