Skip to content

Commit

Permalink
Merge pull request #589 from cloud-gov/bh-csp-connect-src
Browse files Browse the repository at this point in the history 
Add connect-src to CSP headers
  • Loading branch information
@hursey013
hursey013 authored Nov 4, 2024
2 parents 61de4e1 + cd6afca commit da65120
Showing 1 changed file with 3 additions and 2 deletions.
5 changes: 3 additions & 2 deletions src/middlewares/withCSP.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,15 +8,16 @@ export const withCSP: MiddlewareFactory = (next: NextMiddleware) => {
const nonce = request.headers.get('x-nonce') as string;
const cspHeader = `
default-src 'self';
script-src 'self' 'nonce-${nonce}' 'strict-dynamic' ${process.env.NODE_ENV === 'development' ? "'unsafe-eval'" : ''};
connect-src 'self' *.us-gov-west-1.aws-us-gov.cloud.gov;
script-src 'self' 'nonce-${nonce}' 'strict-dynamic' https: http: ${process.env.NODE_ENV === 'production' ? '' : `'unsafe-eval'`};
style-src 'self' 'nonce-${nonce}';
img-src 'self' blob: data:;
font-src 'self';
object-src 'none';
base-uri 'self';
form-action 'self';
frame-ancestors 'none';
${process.env.NODE_ENV !== 'development' ? 'upgrade-insecure-requests;' : ''};
${process.env.NODE_ENV === 'production' ? '' : 'upgrade-insecure-requests;'};
`;

// Replace newline characters and spaces
Expand Down

0 comments on commit da65120

Please sign in to comment.