PIMS-2106: Address WAVA Scan Findings (#2781)

bcgov · Nov 5, 2024 · a8b6da9 · a8b6da9
1 parent fdea9fc
commit a8b6da9
Show file tree

Hide file tree

Showing 4 changed files with 47 additions and 20 deletions.
diff --git a/express-api/src/middleware/headerHandler.ts b/express-api/src/middleware/headerHandler.ts
@@ -1,7 +1,7 @@
 import { NextFunction, Response } from 'express';
 
 const headerHandler: unknown = (req: Request, res: Response, next: NextFunction) => {
-  res.header('Access-Control-Allow-Origin', '*');
+  //res.header('Access-Control-Allow-Origin', '*');
   res.header('Access-Control-Allow-Methods', 'GET,PUT,PATCH,POST,DELETE');
   res.header('Access-Control-Allow-Headers', 'Content-Type, Accept, Authorization');
   next();

diff --git a/express-api/tests/integration/middleware/headerHandler.test.ts b/express-api/tests/integration/middleware/headerHandler.test.ts
@@ -9,7 +9,6 @@ describe('INTEGRATION - headerHandler middleware', () => {
   it('should set headers with expected values', async () => {
     const response = await request.get('/v2/health');
     // Remember to use lower case for header keys
-    expect(response.header['access-control-allow-origin']).toBe('*');
     expect(response.header['access-control-allow-methods']).toBe('GET,PUT,PATCH,POST,DELETE');
     expect(response.header['access-control-allow-headers']).toBe(
       'Content-Type, Accept, Authorization',

diff --git a/react-app/index.html b/react-app/index.html
@@ -1,22 +1,28 @@
 <!doctype html>
 <html lang="en">
+  <head>
+    <meta charset="UTF-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+    <title>PIMS</title>
+    <link
+      rel="stylesheet"
+      href="https://unpkg.com/[email protected]/dist/leaflet.css"
+      integrity="sha256-p4NxAoJBhIIN+hmNHrzRCf9tD/miZyoHS5obTRR9BMY="
+      crossorigin=""
+    />
+    <link
+      rel="stylesheet"
+      href="https://cdnjs.cloudflare.com/ajax/libs/leaflet.draw/1.0.4/leaflet.draw.css"
+    />
+  </head>
 
-<head>
-  <meta charset="UTF-8" />
-  <meta name="viewport" content="width=device-width, initial-scale=1.0" />
-  <title>PIMS</title>
-  <link rel="stylesheet" href="https://unpkg.com/[email protected]/dist/leaflet.css"
-  integrity="sha256-p4NxAoJBhIIN+hmNHrzRCf9tD/miZyoHS5obTRR9BMY="
-  crossorigin=""/>
-  <link rel="stylesheet" href="//cdnjs.cloudflare.com/ajax/libs/leaflet.draw/1.0.4/leaflet.draw.css"/>
-</head>
-
-<body style="margin:0">
-  <div id="root"></div>
-  <script type="module" src="/src/index.tsx"></script>
-  <script src="https://unpkg.com/[email protected]/dist/leaflet.js"
-  integrity="sha256-20nQCchB9co0qIjJZRGuk2/Z9VM+kNiyxNV1lvTlZBo="
-  crossorigin=""></script>
-</body>
-
+  <body style="margin: 0">
+    <div id="root"></div>
+    <script type="module" src="/src/index.tsx"></script>
+    <script
+      src="https://unpkg.com/[email protected]/dist/leaflet.js"
+      integrity="sha256-20nQCchB9co0qIjJZRGuk2/Z9VM+kNiyxNV1lvTlZBo="
+      crossorigin=""
+    ></script>
+  </body>
 </html>
diff --git a/react-app/nginx.conf b/react-app/nginx.conf
@@ -1,4 +1,26 @@
 server {
+  # Enable HTTP Strict Transport Security (HSTS) to force clients to always
+  # connect via HTTPS (do not use if only testing)
+  add_header Strict-Transport-Security "max-age=31536000;";
+
+  # Enable cross-site filter (XSS) and tell browser to block detected attacks
+  add_header X-XSS-Protection "1; mode=block";
+
+  # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
+  add_header X-Content-Type-Options "nosniff";
+
+  # Disallow the site to be rendered within a frame (clickjacking protection)
+  add_header X-Frame-Options "DENY";
+
+  add_header Permissions-Policy "camera=(), microphone=(), geolocation=(), fullscreen=()";
+
+  # Turn off all caddy caching
+  add_header Cache-Control "no-cache,no-store,must-revalidate";
+  add_header Pragma "no-cache";
+
+  # Content Security Policy
+  add_header Content-Security-Policy "default-src 'none'; frame-src 'self' *.gov.bc.ca; script-src 'nonce-windowsp' 'self' *.gov.bc.ca https://unpkg.com; style-src 'self' 'unsafe-inline' https://unpkg.com https://cdnjs.cloudflare.com; font-src 'self' *.gov.bc.ca; img-src 'self' *.gov.bc.ca data: tile.openstreetmap.org https://maps.googleapis.com https://unpkg.com https://cdnjs.cloudflare.com https://openmaps.gov.bc.ca; connect-src 'self' *.gov.bc.ca https://openmaps.gov.bc.ca; manifest-src 'self';";
+
   listen 3000;
   location / {
     root   /usr/share/nginx/html;