Skip to content

Commit

Permalink
feat: add CSP header to all the pages (#445)
Browse files Browse the repository at this point in the history 
* feat: initial CSP

* feat: add missing directives to load the content and scripts in the remaining pages

* fix: add Hotjar script

* docs: add comment describing the allowed lists

* fix: enhance `connect-src` directive with another Hotjar domain
  • Loading branch information
@DiogoSoaress
DiogoSoaress authored Aug 28, 2024
1 parent 35f20b4 commit 2d198f3
Show file tree
Hide file tree
Showing 2 changed files with 28 additions and 0 deletions.
4 changes: 4 additions & 0 deletions src/components/common/MetaTags/index.tsx
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
import { IS_PRODUCTION } from '@/config/constants'
import { ContentSecurityPolicy } from '@/config/securityHeaders'
import Head from 'next/head'

const defaultMetaTags = {
Expand Down Expand Up @@ -31,6 +32,9 @@ const MetaTags = (props: Partial<typeof defaultMetaTags>) => {

{!IS_PRODUCTION && <meta name="robots" content="noindex" />}

{/* CSP */}
<meta httpEquiv="Content-Security-Policy" content={ContentSecurityPolicy} />

{/* Mobile tags */}
<meta name="apple-mobile-web-app-capable" content="yes" />
<meta name="apple-mobile-web-app-title" content="safe" />
Expand Down
24 changes: 24 additions & 0 deletions src/config/securityHeaders.ts
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
import { IS_PRODUCTION } from '@/config/constants'

/**
* Notes:
* connect-src: Allows calls to Ashby's job board, Ecosystem DB API, Snapshot, Contentful and Hotjar.
* script-src: Allows scripts from Hotjar, and Google Tag Manager. In development, 'unsafe-eval' is allowed for inline scripts to facilitate debugging.
* img-src: Allows images from Contentful, Ecosystem DB for the project logos, Safe Claiming App for guardians images, and data URIs.
* frame-src: Allows iframes from Mirror, Youtube and JWPlayer.
*/
export const ContentSecurityPolicy = `
default-src 'self';
connect-src 'self' https://api.ashbyhq.com/posting-api/job-board/safe.global/ https://ecosystem-database.staging.5afe.dev/data.json https://hub.snapshot.org/graphql https://cdn.contentful.com/spaces/1i5gc724wjeu/ https://metrics.hotjar.io/ https://content.hotjar.io/ wss://ws.hotjar.com;
script-src 'self' ${
IS_PRODUCTION ? '' : "'unsafe-eval'"
} 'unsafe-inline' https://script.hotjar.com https://static.hotjar.com https://www.googletagmanager.com;
style-src 'self' 'unsafe-inline';
font-src 'self';
object-src 'none';
base-uri 'none';
img-src 'self' http://images.ctfassets.net/ https://ecosystem-database.staging.5afe.dev/logos/ https://safe-claiming-app-data.safe.global/guardians/images/ data:;
frame-src https://safe.mirror.xyz/ https://www.youtube-nocookie.com/ https://cdn.jwplayer.com/;
`
.replace(/\s{2,}/g, ' ')
.trim()

0 comments on commit 2d198f3

Please sign in to comment.