Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Parameterize and Update CORS and CSP #244

Merged
merged 6 commits into from
May 24, 2024
Merged

Parameterize and Update CORS and CSP #244

merged 6 commits into from
May 24, 2024

Conversation

Matthew-Grayson
Copy link
Contributor

@Matthew-Grayson Matthew-Grayson commented May 10, 2024
edited

🗣 Description

Update CORS and CSP
Convert CORS and CSP settings to environment variables.
Add variables to dev.env.example for local testing
Delete constants.js file

💭 Motivation and context

Updated CORS and CSP improve site security limiting which websites can request resources from our API. This reduces the risk of cross-site request forgery (CSRF) and data leakage, as only listed origins are allowed to interact with our server.
Parameterizing these settings allows us to change them using the AWS console without initiating a new deployment.
closes issue #241

🧪 Testing

All tests pass and site functions as expected. Full testing requires deployment to DMZ staging.
You must add the following new environment variables from dev.env.example to your .env file for your local environment to work.

CORS_MAIN={"origin":"http://localhost","methods":"GET,POST,PUT,DELETE,OPTIONS"}
CORS_DOCS={{"origin":"http://localhost","methods":"GET"}}
CSP_MAIN={"directives":{"defaultSrc":["'self'","http://localhost"],"frameSrc":["'self'","https://www.dhs.gov/ntas/"],"imgSrc":["'self'","http://localhost","https://www.dhs.gov"],"objectSrc":["'none'"],"scriptSrc":["'self'","http://localhost","https://www.dhs.gov"],"frameAncestors":["'none'"]}}
CSP_DOCS={"directives":{"baseUri":["'none'"],"defaultSrc":["'self'"],"frameAncestors":["'none'"],"objectSrc":["'none'"],"scriptSrc":["'none'"]}}

✅ Pre-approval checklist

  • This PR has an informative and human-readable title.
  • Changes are limited to a single goal - eschew scope creep!
  • All future TODOs are captured in issues, which are referenced
    in code comments.
  • All relevant type-of-change labels have been added.
  • I have read the CONTRIBUTING document.
  • These code changes follow cisagov code standards.
  • All new and existing tests pass.

✅ Pre-merge checklist

  • Revert dependencies to default branches.
  • Finalize version.

✅ Post-merge checklist

  • Create a release.

@Matthew-Grayson
Specify XFD and RSC urls in cors origin and csp src; remove localhost…
14c760a 
… from policies; refactor csp to allow embeding DHS NTAS widget.
@Matthew-Grayson
Add RSC subdomains to docs cors policy; revert cors/csp in backend ap…
271b63e 
…p.ts since it only applies to local environment.
@Matthew-Grayson Matthew-Grayson linked an issue May 10, 2024 that may be closed by this pull request
Add Explicit CORS URLs #241
Closed
@Matthew-Grayson Matthew-Grayson marked this pull request as ready for review May 10, 2024 19:47
@Matthew-Grayson Matthew-Grayson self-assigned this May 13, 2024
cduhn17
cduhn17 reviewed May 13, 2024
View reviewed changes
Copy link
Collaborator

@cduhn17 cduhn17 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Per conversation. Do we want to parameterize some of these URL's so we dont have to go through a review and release cycle in the event the URL do change.

@chrtorres chrtorres mentioned this pull request May 13, 2024
Closed
10 tasks
@Matthew-Grayson Matthew-Grayson marked this pull request as draft May 13, 2024 17:04
@Matthew-Grayson
Copy link
Contributor Author

Per @cduhn17's suggestion, I'll parameterize these settings

@chrtorres chrtorres mentioned this pull request May 13, 2024
Closed
@Matthew-Grayson
Parameterize CORS and Content Security Policy settings; add environme…
82170c1 
…nt variable for policies to dev.env.example for local development.
@Matthew-Grayson Matthew-Grayson marked this pull request as ready for review May 17, 2024 19:16
@Matthew-Grayson Matthew-Grayson changed the title 241 add explicit cors urls Parameterize and Update CORS and CSP May 20, 2024
@rapidray12
Copy link
Collaborator

Needed for ANDI to run correctly

@schmelz21 schmelz21 merged commit db7aa3f into develop May 24, 2024
21 of 23 checks passed
@schmelz21 schmelz21 deleted the 241-add-explicit-cors-urls branch May 24, 2024 12:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cduhn17 cduhn17 cduhn17 left review comments

@aloftus23 aloftus23 aloftus23 approved these changes

@rapidray12 rapidray12 rapidray12 approved these changes

@nickviola nickviola Awaiting requested review from nickviola nickviola is a code owner

@schmelz21 schmelz21 Awaiting requested review from schmelz21 schmelz21 is a code owner

Assignees

@Matthew-Grayson Matthew-Grayson

Labels
frontend
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add Explicit CORS URLs
5 participants
@Matthew-Grayson @rapidray12 @aloftus23 @cduhn17 @schmelz21