refactor: add nginx security headers (#1029)

devcatalin · web-flow · commit 7a42f280b674 · 2024-04-08T15:44:06.000+03:00
* refactor: add nginx security headers

* chore: update conf

* refactor: configurable security headers

* refactor: security script changes

* refactor: use API_HOST
diff --git a/Dockerfile b/Dockerfile
@@ -31,6 +31,7 @@ COPY --from=build /app/packages/web/build /app/build
 
 COPY ./packages/web/scripts/env.sh /app/init/
 COPY ./packages/web/scripts/inject-base-href.sh /app/init/
+COPY ./packages/web/scripts/security.sh /app/init/
 
 RUN chmod +x /app/init/env.sh /app/init/inject-base-href.sh && \
     chmod a+w /etc/nginx/nginx.conf /app/build/index.html && \
@@ -49,6 +50,7 @@ CMD [ \
    cp -R /app/nginx/. /etc/nginx && \
    sh /app/init/env.sh env-config.js && \
    sh /app/init/inject-base-href.sh && \
+   sh /app/init/security.sh && \
    export DISABLE_IPV6=\"$([[ \"$ENABLE_IPV6\" = \"true\" ]] && echo \"false\" || echo \"true\")\" && \
    envsubst '$DISABLE_IPV6' < /etc/nginx/nginx.conf.tmpl | sed -e '1h;2,$H;$!d;g' -e 's/# cut true.*# end//g' > /etc/nginx/nginx.conf && \
    nginx -g \"daemon off;\"" ]
diff --git a/nginx/nginx.conf b/nginx/nginx.conf
@@ -43,5 +43,8 @@ http {
         gzip_http_version 1.1;
         gzip_min_length 0;
         gzip_types text/plain application/javascript text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/vnd.ms-fontobject application/x-font-ttf font/opentype;
+
+        #SecurityHeaders
+
     }
 }
diff --git a/packages/web/scripts/security.sh b/packages/web/scripts/security.sh
@@ -0,0 +1,21 @@
+#!/bin/sh
+
+API_HOST=$(echo $REACT_APP_API_SERVER_ENDPOINT | sed -e 's|http://||g' -e 's|https://||g')
+
+tempFile=$(mktemp /etc/nginx/tempfile.XXXXXXXX)
+
+cat > "${tempFile}" <<EOF
+
+        add_header X-Frame-Options "SAMEORIGIN";
+        add_header X-Content-Type-Options "nosniff";
+        add_header Referrer-Policy "strict-origin-when-cross-origin";
+        add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; connect-src 'self' http://${API_HOST} https://${API_HOST} ws://${API_HOST} wss://${API_HOST} blob:;";
+EOF
+
+if [ "${ENABLE_SECURITY_HEADERS}" = "true" ]; then
+  sed -i "/#SecurityHeaders/r ${tempFile}" /etc/nginx/nginx.conf.tmpl
+fi
+
+rm "${tempFile}"
+
+cat /etc/nginx/nginx.conf.tmpl

Original file line number	Diff line number	Diff line change
`@@ -43,5 +43,8 @@ http {`
`43`	`43`	`gzip_http_version 1.1;`
`44`	`44`	`gzip_min_length 0;`
`45`	`45`	`gzip_types text/plain application/javascript text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/vnd.ms-fontobject application/x-font-ttf font/opentype;`
	`46`	`+`
	`47`	`+ #SecurityHeaders`
	`48`	`+`
`46`	`49`	`}`
`47`	`50`	`}`