🔧[#42] add HSTS & CSP settings #49
Conversation
Coperh
requested review from
annashamray and
stevenbal
and removed request for
annashamray
Coperh
force-pushed
the
issue/42-headers-for-CSP-and-HSTS
branch
from
eea1e52 to
a1815cc
Compare
| # NOTE: make sure values are a tuple or list, and to quote special values like 'self' | ||
|
|
||
| # ideally we'd use BASE_URI but it'd have to be lazy or cause issues | ||
| CSP_DEFAULT_SRC = [ |
There was a problem hiding this comment.
I tried testing this with Open Zaak, but I don't see any of the Content-Security-Policy headers showing up in the response headers. Does it work for you?
There was a problem hiding this comment.
I've tested with all the components and can confirm they work now.
Open-zaak does not use the open-api-framework MIDDLEWARE so it is not enabled by default.
open_api_framework/conf/base.py
Outdated
| CSP_FORM_ACTION = ( | ||
| config( | ||
| "CSP_FORM_ACTION", | ||
| default=["\"'self'\"", "https:"] |
There was a problem hiding this comment.
I think we can remove https: here, in the comment it's mentioned that this is required for eHerkenning, but this doesn't apply for any of the registration components I think? @annashamray
open_api_framework/conf/base.py
Outdated
| # and the signature component which saves the image drawn on the canvas as data: URI | ||
| CSP_IMG_SRC = ( | ||
| CSP_DEFAULT_SRC | ||
| + ["data:", "https://service.pdok.nl/"] |
There was a problem hiding this comment.
I think service.pdok.nl can be excluded (@annashamray double check, we don't use this anywhere in the registration components, right?)
There was a problem hiding this comment.
I think so, it's kadaster service afaik, which we don't use
Coperh
force-pushed
the
issue/42-headers-for-CSP-and-HSTS
branch
3 times, most recently
from
bb115f7 to
874e5cb
Compare
Coperh
force-pushed
the
issue/42-headers-for-CSP-and-HSTS
branch
from
874e5cb to
7ec82db
Compare
Fixes #42
Again just copy pasted most settings from OpenForms