harden web security #259

abhinavkgrd · 2021-11-30T17:13:40Z

Description

Moved headers from Next config to _headers because static exported files don't retain the headers [1]
added security headers suggested by observatory with some caveats
style-src unsafe-inline allowed [2][3]
script-src unsafe-eval allowed [4][5]
use ente domain URLs for workers
added connect-src https://ente-prod-eu.s3.eu-central-003.backblazeb2.com

[1] https://nextjs.org/docs/advanced-features/static-html-export#unsupported-features
[2] vercel/next.js#18557
[3] styled-components/styled-components#2363
[4] WebAssembly/content-security-policy#7
[5] strukturag/libheif#173

Test Plan

Observatory shows that the intended directives have been activated:
https://observatory.mozilla.org/analyze/web-security.bada-frame.pages.dev

cloudflare-workers-and-pages · 2021-11-30T17:16:22Z

Deploying with Cloudflare Pages

Latest commit:	`72ed18f`
Status:	⚡️ Build in progress...

View logs

no good solution to implement nonce and hash exists current styled-components/styled-components#2363 vercel/next.js#18557 (comment)

…ains

abhinavkgrd marked this pull request as draft November 30, 2021 17:13

adds next-secure-headers

ce22b0f

abhinavkgrd force-pushed the web-security branch from fb8a69c to ce22b0f Compare November 30, 2021 18:58

added clouflare headers config file

ec699c1

abhinavkgrd force-pushed the web-security branch from 46ff8a5 to ec699c1 Compare December 1, 2021 07:09

abhinavkgrd added 11 commits December 1, 2021 18:36

test

45911eb

update csp to report only and add report URI

bfd8695

fix csp self value , by adding quotes

d297b82

changed object src to none

4580470

move csp to meta tag in document to add inline script hash

366a283

add Referrer-Policy header

87f3f7a

remove headers as its not passed to exported app

e023474

better formatted csp

d51335b

add mode block to xss protection

d88e64b

make content security active

25ef3a8

added unsafe inline as fallback to hash for script-src

14094d1

abhinavkgrd force-pushed the web-security branch 2 times, most recently from 5c9d19e to 1e53886 Compare December 2, 2021 09:02

move all directive except script-src to header

4b03205

abhinavkgrd force-pushed the web-security branch from 1e53886 to 4b03205 Compare December 2, 2021 09:04

abhinavkgrd added 9 commits December 2, 2021 14:47

add missing report to and reporturi to

a8ad8b2

remove script hash

e5b9ad7

fix report-uri

e7bed74

test

7969d20

add unsafe inline to style-src

59b3745

no good solution to implement nonce and hash exists current styled-components/styled-components#2363 vercel/next.js#18557 (comment)

add back next-secure-header for local use

8ce1ae7

added testing headers

5854a94

add data: protocol for connect-src and remove require trusted for script

5931bf8

activate content scurity policy

949dd07

abhinavkgrd added 6 commits December 3, 2021 17:23

add unsafe eval to allow heif.js new Function() call

5df9212

add sub-resource integrity

e2e47d7

add html webpack plugin

28dd87b

run only for non server webpack

82a15ef

dont need HtmlWebpackPlugin and force enable SubresourceIntegrityPlugin

f9c91cd

remove unneccesary changes

0613209

abhinavkgrd force-pushed the web-security branch from 31da2ba to 0613209 Compare December 3, 2021 14:48

remove unneccasry packages

20d6574

abhinavkgrd force-pushed the web-security branch from bfd5e95 to 20d6574 Compare December 3, 2021 14:50

abhinavkgrd added 2 commits December 3, 2021 20:20

cleanup

7df09a1

add suggested observatory header

7b739ae

abhinavkgrd marked this pull request as ready for review December 3, 2021 15:38

update to use ente domain url for workes instead of worker.dev cf dom…

6e62f31

…ains

abhinavkgrd force-pushed the web-security branch from e47e913 to 6e62f31 Compare December 20, 2021 10:23

abhinavkgrd added 7 commits January 3, 2022 15:10

update csp report URL

52f0ac0

fix sentry tunnel URL

9acb767

allow blob foir connect-src

9c0f123

allow blob for script src

09e4f89

add b2 upload URL domain to connect-src

db3820a

fix b2 domain for connect-src

b789e62

change csp to report only for deployment

72ed18f

abhinavkgrd requested a review from vishnukvmd January 4, 2022 06:26

vishnukvmd approved these changes Jan 4, 2022

View reviewed changes

abhinavkgrd marked this pull request as draft January 4, 2022 07:30

abhinavkgrd merged commit 1d0aa42 into master Jan 4, 2022

abhinavkgrd deleted the web-security branch January 16, 2022 11:25

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

harden web security #259

harden web security #259

abhinavkgrd commented Nov 30, 2021 •

edited by vishnukvmd

Loading

cloudflare-workers-and-pages bot commented Nov 30, 2021 •

edited

Loading

harden web security #259

harden web security #259

Conversation

abhinavkgrd commented Nov 30, 2021 • edited by vishnukvmd Loading

Description

Test Plan

cloudflare-workers-and-pages bot commented Nov 30, 2021 • edited Loading

Deploying with Cloudflare Pages

abhinavkgrd commented Nov 30, 2021 •

edited by vishnukvmd

Loading

cloudflare-workers-and-pages bot commented Nov 30, 2021 •

edited

Loading