#3610 - Missing Content-security-policy (#3644)

- Create a different file to be consumed by `Docker` and `Docker.dev`
for nginx deployment.
- Moved the `add_header` instructions from "nginx.conf" to
"default.conf.dev.template". Both files had the `server` defined and the
headers were never added.
- The only difference between "default.conf.template" and
"default.conf.dev.template" is the `http://localhost:*` defined for the
`connect-src`.
- The only change from previous configurations was about
`Content-Security-Policy` and they are the below.
```
default-src 'self';
connect-src 'self' *.gov.bc.ca;
script-src 'self' 'unsafe-eval' https://cdn.form.io/flatpickr/flatpickr.min.js;
style-src 'self' 'unsafe-inline' https://stackpath.bootstrapcdn.com/bootstrap/ https://cdn.form.io/flatpickr/flatpickr.min.css; 
font-src 'self' data:;
img-src 'self' data:"
```
- Comments about the above configurations
  - The list was created to test the web portal.
- Some are required because form.io loads external libs like
`flatpickr.min.js` on demand.
- `*.gov.bc.ca` was added to allow Keycloak access and logout URL for
Institutions.

### Minor outside PR scope changes
- Moved nginx files to a nginx folder.
- Changed the `web-local` make to build to make it easier to test
changes on the web app.

### Localhost sample with headers


![image](https://github.com/user-attachments/assets/1154a722-c31a-4b61-9be6-88c0d46cf942)

sources/Makefile

@@ -180,7 +180,7 @@ api: ## <Helper> :: Executes into the workspace container.
 # Local Web (nginx)
 web-local:
 	@echo "+\n++ Make: Run local web (nginx).\n+"
-	@docker compose -f docker-compose.yml up web
+	@docker compose -f docker-compose.yml up --build -d web
 
 local-db:
 	@echo "Make: Shelling into database workspace ..."

sources/packages/web/Dockerfile

@@ -8,7 +8,7 @@ RUN npm ci
 COPY . ./
 
 # Replace ${PORT} variable in the template and save as default.conf.
-RUN sed 's/${PORT}/'"${PORT}"'/g' default.conf.template > default.conf
+RUN sed 's/${PORT}/'"${PORT}"'/g' nginx/default.conf.template > default.conf
 
 RUN npm run build
 
@@ -25,7 +25,7 @@ COPY --from=builder /opt/app-root/src/dist .
 COPY --from=builder /opt/app-root/src/default.conf /etc/nginx/conf.d
 
 # Copying the main configuration file.
-COPY nginx.conf /etc/nginx/nginx.conf
+COPY nginx/nginx.conf /etc/nginx/nginx.conf
 
 # Daemon off makes nginx to run on the foreground with only one process.
 # Docker will kill the container if the process dies.

sources/packages/web/Dockerfile.dev

@@ -32,12 +32,12 @@ RUN mkdir /etc/nginx/templates
 COPY --from=builder /app/dist /opt/app-root/src
 
 # Copying the main configuration file.
-COPY nginx.conf /etc/nginx/nginx.conf
+COPY nginx/nginx.conf /etc/nginx/nginx.conf
 
 # Copying the configuration template file to templates dir. 
 # It will be processed to transform the vars in the template files into 
 # evaluated values and save the resulting files into /etc/nginx/conf.d/ dir.
-COPY default.conf.template /etc/nginx/templates/
+COPY nginx/default.conf.dev.template /etc/nginx/templates/default.conf.template
 
 # Changing ownwership of some nginx directories as it will run as nginx user.
 RUN chown nginx /var/cache/nginx/ -R

sources/packages/web/nginx/default.conf.dev.template

@@ -0,0 +1,26 @@
+# nginx default configuration.
+
+log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                  '$status $body_bytes_sent "$http_referer" '
+                  '"$http_user_agent" "$http_x_forwarded_for"';
+
+server {
+  # Log to stdout
+  set $loggable 1;
+  if ($http_user_agent ~* "^kube-probe/") {
+        set $loggable 0;
+  }
+  access_log /dev/stdout main if=$loggable;
+
+  listen       ${PORT};
+  location / {
+    root   /opt/app-root/src;
+    index  index.html;
+    try_files $uri $uri/ /index.html;
+  }
+  add_header 'X-Content-Type-Options' "nosniff";
+  add_header 'Content-Security-Policy' "default-src 'self'; connect-src 'self' *.gov.bc.ca http://localhost:*; script-src 'self' 'unsafe-eval' https://cdn.form.io/flatpickr/flatpickr.min.js; style-src 'self' 'unsafe-inline' https://stackpath.bootstrapcdn.com/bootstrap/ https://cdn.form.io/flatpickr/flatpickr.min.css; font-src 'self' data:; img-src 'self' data:"; 
+  add_header 'Strict-Transport-Security' "max-age=31536000; includeSubDomains; preload";
+  add_header 'Referrer-Policy' "same-origin";
+  add_header 'X-Frame-Options' "sameorigin";
+}

sources/packages/web/nginx/default.conf.template

@@ -0,0 +1,26 @@
+# nginx default configuration.
+
+log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                  '$status $body_bytes_sent "$http_referer" '
+                  '"$http_user_agent" "$http_x_forwarded_for"';
+
+server {
+  # Log to stdout
+  set $loggable 1;
+  if ($http_user_agent ~* "^kube-probe/") {
+        set $loggable 0;
+  }
+  access_log /dev/stdout main if=$loggable;
+
+  listen       ${PORT};
+  location / {
+    root   /opt/app-root/src;
+    index  index.html;
+    try_files $uri $uri/ /index.html;
+  }
+  add_header 'X-Content-Type-Options' "nosniff";
+  add_header 'Content-Security-Policy' "default-src 'self'; connect-src 'self' *.gov.bc.ca; script-src 'self' 'unsafe-eval' https://cdn.form.io/flatpickr/flatpickr.min.js; style-src 'self' 'unsafe-inline' https://stackpath.bootstrapcdn.com/bootstrap/ https://cdn.form.io/flatpickr/flatpickr.min.css; font-src 'self' data:; img-src 'self' data:"; 
+  add_header 'Strict-Transport-Security' "max-age=31536000; includeSubDomains; preload";
+  add_header 'Referrer-Policy' "same-origin";
+  add_header 'X-Frame-Options' "sameorigin";
+}

sources/packages/web/nginx/nginx.conf

@@ -0,0 +1,15 @@
+worker_processes  auto;
+
+# Log to stdout
+error_log /dev/stdout info;
+pid /tmp/nginx.pid;
+events {
+  worker_connections  1024;
+}
+http {
+  include /etc/nginx/mime.types;
+  include /etc/nginx/conf.d/default.conf;
+  default_type application/octet-stream;
+  sendfile on;
+  keepalive_timeout 65;
+}