refactor: add nginx security headers (#1029)

* refactor: add nginx security headers * chore: update conf * refactor: configurable security headers * refactor: security script changes * refactor: use API_HOST
kubeshop · Apr 8, 2024 · 7a42f28 · 7a42f28
1 parent c7a2477
commit 7a42f28
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 0 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -31,6 +31,7 @@ COPY --from=build /app/packages/web/build /app/build
 
 COPY ./packages/web/scripts/env.sh /app/init/
 COPY ./packages/web/scripts/inject-base-href.sh /app/init/
+COPY ./packages/web/scripts/security.sh /app/init/
 
 RUN chmod +x /app/init/env.sh /app/init/inject-base-href.sh && \
     chmod a+w /etc/nginx/nginx.conf /app/build/index.html && \
@@ -49,6 +50,7 @@ CMD [ \
    cp -R /app/nginx/. /etc/nginx && \
    sh /app/init/env.sh env-config.js && \
    sh /app/init/inject-base-href.sh && \
+   sh /app/init/security.sh && \
    export DISABLE_IPV6=\"$([[ \"$ENABLE_IPV6\" = \"true\" ]] && echo \"false\" || echo \"true\")\" && \
    envsubst '$DISABLE_IPV6' < /etc/nginx/nginx.conf.tmpl | sed -e '1h;2,$H;$!d;g' -e 's/# cut true.*# end//g' > /etc/nginx/nginx.conf && \
    nginx -g \"daemon off;\"" ]
diff --git a/nginx/nginx.conf b/nginx/nginx.conf
@@ -43,5 +43,8 @@ http {
         gzip_http_version 1.1;
         gzip_min_length 0;
         gzip_types text/plain application/javascript text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/vnd.ms-fontobject application/x-font-ttf font/opentype;
+
+        #SecurityHeaders
+
     }
 }
diff --git a/packages/web/scripts/security.sh b/packages/web/scripts/security.sh
@@ -0,0 +1,21 @@
+#!/bin/sh
+
+API_HOST=$(echo $REACT_APP_API_SERVER_ENDPOINT | sed -e 's|http://||g' -e 's|https://||g')
+
+tempFile=$(mktemp /etc/nginx/tempfile.XXXXXXXX)
+
+cat > "${tempFile}" <<EOF
+
+        add_header X-Frame-Options "SAMEORIGIN";
+        add_header X-Content-Type-Options "nosniff";
+        add_header Referrer-Policy "strict-origin-when-cross-origin";
+        add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; connect-src 'self' http://${API_HOST} https://${API_HOST} ws://${API_HOST} wss://${API_HOST} blob:;";
+EOF
+
+if [ "${ENABLE_SECURITY_HEADERS}" = "true" ]; then
+  sed -i "/#SecurityHeaders/r ${tempFile}" /etc/nginx/nginx.conf.tmpl
+fi
+
+rm "${tempFile}"
+
+cat /etc/nginx/nginx.conf.tmpl