diff --git a/express-api/src/middleware/headerHandler.ts b/express-api/src/middleware/headerHandler.ts index 14944de13b..6fdee69dce 100644 --- a/express-api/src/middleware/headerHandler.ts +++ b/express-api/src/middleware/headerHandler.ts @@ -1,7 +1,7 @@ import { NextFunction, Response } from 'express'; const headerHandler: unknown = (req: Request, res: Response, next: NextFunction) => { - res.header('Access-Control-Allow-Origin', '*'); + //res.header('Access-Control-Allow-Origin', '*'); res.header('Access-Control-Allow-Methods', 'GET,PUT,PATCH,POST,DELETE'); res.header('Access-Control-Allow-Headers', 'Content-Type, Accept, Authorization'); next(); diff --git a/express-api/tests/integration/middleware/headerHandler.test.ts b/express-api/tests/integration/middleware/headerHandler.test.ts index 5d0310136c..799f40a81d 100644 --- a/express-api/tests/integration/middleware/headerHandler.test.ts +++ b/express-api/tests/integration/middleware/headerHandler.test.ts @@ -9,7 +9,6 @@ describe('INTEGRATION - headerHandler middleware', () => { it('should set headers with expected values', async () => { const response = await request.get('/v2/health'); // Remember to use lower case for header keys - expect(response.header['access-control-allow-origin']).toBe('*'); expect(response.header['access-control-allow-methods']).toBe('GET,PUT,PATCH,POST,DELETE'); expect(response.header['access-control-allow-headers']).toBe( 'Content-Type, Accept, Authorization', diff --git a/react-app/index.html b/react-app/index.html index beccf76efd..51e58cd587 100644 --- a/react-app/index.html +++ b/react-app/index.html @@ -1,22 +1,28 @@ + + + + PIMS + + + - - - - PIMS - - - - - -
- - - - + +
+ + + diff --git a/react-app/nginx.conf b/react-app/nginx.conf index e278bff0d2..1b7e8839ea 100644 --- a/react-app/nginx.conf +++ b/react-app/nginx.conf @@ -1,4 +1,26 @@ server { + # Enable HTTP Strict Transport Security (HSTS) to force clients to always + # connect via HTTPS (do not use if only testing) + add_header Strict-Transport-Security "max-age=31536000;"; + + # Enable cross-site filter (XSS) and tell browser to block detected attacks + add_header X-XSS-Protection "1; mode=block"; + + # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type + add_header X-Content-Type-Options "nosniff"; + + # Disallow the site to be rendered within a frame (clickjacking protection) + add_header X-Frame-Options "DENY"; + + add_header Permissions-Policy "camera=(), microphone=(), geolocation=(), fullscreen=()"; + + # Turn off all caddy caching + add_header Cache-Control "no-cache,no-store,must-revalidate"; + add_header Pragma "no-cache"; + + # Content Security Policy + add_header Content-Security-Policy "default-src 'none'; frame-src 'self' *.gov.bc.ca; script-src 'nonce-windowsp' 'self' *.gov.bc.ca https://unpkg.com; style-src 'self' 'unsafe-inline' https://unpkg.com https://cdnjs.cloudflare.com; font-src 'self' *.gov.bc.ca; img-src 'self' *.gov.bc.ca data: tile.openstreetmap.org https://maps.googleapis.com https://unpkg.com https://cdnjs.cloudflare.com https://openmaps.gov.bc.ca; connect-src 'self' *.gov.bc.ca https://openmaps.gov.bc.ca; manifest-src 'self';"; + listen 3000; location / { root /usr/share/nginx/html;