Skip to content

Implement strict Content Security Policy using react-helmet-async #79

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
piyushsinghgaur1 wants to merge 2 commits into from
Closed

Implement strict Content Security Policy using react-helmet-async #79

piyushsinghgaur1 wants to merge 2 commits into from

Conversation

@piyushsinghgaur1
Copy link
Collaborator

@piyushsinghgaur1 piyushsinghgaur1 commented May 14, 2025
edited
Loading

Description:

This PR enhances the security of the React frontend by implementing a robust Content Security Policy (CSP) using react-helmet-async.

Key Changes:

  • Integrated react-helmet-async to manage CSP via React components
  • Defined a strict CSP (default-src 'self') to block untrusted sources
  • Removed <meta http-equiv="Content-Security-Policy"> from index.html
  • Whitelisted trusted domains for scripts, styles, fonts, and images
  • Validated implementation with browser dev tools — no CSP violations
  • Enabled support for resolving nested environment variables using env: placeholders

Why This Matters:

A strong CSP helps protect against XSS, clickjacking, and code injection attacks by limiting which sources are allowed to load content in the app.

@piyushsinghgaur1 piyushsinghgaur1 changed the title Implement strict Content Security Policy using react-helmet-async* Implement strict Content Security Policy using react-helmet-async May 14, 2025
@piyushsinghgaur1 piyushsinghgaur1 added the enhancement New feature or request label May 14, 2025
@piyushsinghgaur1 piyushsinghgaur1 linked an issue May 14, 2025 that may be closed by this pull request
[Security] Implement Content Security Policy (CSP) via react-helmet-async (React Frontend) #78
Closed
@piyushsinghgaur1 piyushsinghgaur1 self-assigned this May 14, 2025
AryanshSourcefuse
AryanshSourcefuse suggested changes May 16, 2025
View reviewed changes
@piyushsinghgaur1
feat(core): ARC-78 added CSP
6f55c09 
feat(security): implement CSP via react-helmet-async in React frontend
@piyushsinghgaur1 piyushsinghgaur1 marked this pull request as ready for review May 27, 2025 06:41
feat(config): update environment files with CSP directives and client…
27e13f7 
… configuration

Add CSP directives and client config to environment files

Updates example environment files to include Content Security Policy
(CSP) directives with secure defaults and client configuration keys.

Introduces logic to dynamically expand environment variables within
CSP directives, validates critical directives, and ensures secure
defaults where missing. Enhances security and configurability.

Relates to: feat(config)
@sonarqubecloud
Copy link

sonarqubecloud bot commented May 27, 2025

Quality Gate Passed Quality Gate passed

Issues
2 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@rohit-sourcefuse
Copy link

rohit-sourcefuse commented Jul 4, 2025

No longer required, as we've implemented a generic CSP package for both React and Angular boilerplates. See: https://github.com/sourcefuse/arc-spa-csp

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rohit-sourcefuse rohit-sourcefuse Awaiting requested review from rohit-sourcefuse

@SF-shiwangidubey SF-shiwangidubey Awaiting requested review from SF-shiwangidubey

@AryanshSourcefuse AryanshSourcefuse Awaiting requested review from AryanshSourcefuse

Assignees

@piyushsinghgaur1 piyushsinghgaur1

Labels

enhancement New feature or request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Security] Implement Content Security Policy (CSP) via react-helmet-async (React Frontend)

4 participants

@piyushsinghgaur1 @rohit-sourcefuse @AryanshSourcefuse