added CSP policy to headers in nginx config

Ticket: SEC-1051 Changelog: None Signed-off-by: Mikita Pilinka <[email protected]>
cfengine · Jun 26, 2024 · 8d1fc1c · 8d1fc1c
1 parent b561710
commit 8d1fc1c
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 18 deletions.
diff --git a/nginx.conf b/nginx.conf
@@ -73,6 +73,9 @@ http {
         add_header Strict-Transport-Security "max-age=31536000; includeSubdomains" always;
         add_header X-Content-Type-Options "nosniff" always;
         add_header 'Referrer-Policy' 'strict-origin';
+        # 'sha256-ruKmkK0iwJgE/F4xuzLY3V2OuzVOOJISav7NURhCKsM=' hugo discuss template (https://github.com/gohugoio/hugo/blob/master/tpl/tplimpl/embedded/templates/disqus.html)
+        add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline' cdn.jsdelivr.net; connect-src 'self' *.disqus.com *.disquscdn.com *.google-analytics.com; script-src 'self' 'sha256-ruKmkK0iwJgE/F4xuzLY3V2OuzVOOJISav7NURhCKsM=' *.disqus.com *.disquscdn.com *.googletagmanager.com; object-src 'self'; img-src 'self' data: https:; font-src 'self' https:; frame-src 'self' www.google.com www.youtube.com; manifest-src 'self'; base-uri 'self'; form-action 'self'; frame-ancestors 'self'; upgrade-insecure-requests;";
+
         #add_header Feature-Policy "speaker self;fullscreen self;";
         ## Block common exploits
         ## https://www.howtoforge.com/nginx-how-to-block-exploits-sql-injections-file-injections-spam-user-agents-etc

diff --git a/static/js/cookie-consent-listener.js b/static/js/cookie-consent-listener.js
@@ -0,0 +1,17 @@
+let gaInitialized = false;
+document.addEventListener('cookieconsent_allowed', () => {
+    console.log('allowed');
+    if (gaInitialized === true) return;
+    const script = document.createElement('script');
+    script.src = 'https://www.googletagmanager.com/gtag/js?id=G-TW89K2P8L4';
+    document.head.appendChild(script);
+    script.addEventListener('load', function () {
+        window.dataLayer = window.dataLayer || [];
+        function gtag() {
+            dataLayer.push(arguments);
+        }
+        gtag('js', new Date());
+        gtag('config', 'G-TW89K2P8L4');
+        gaInitialized = true;
+    });
+});
diff --git a/themes/cfbs-theme/layouts/partials/header.html b/themes/cfbs-theme/layouts/partials/header.html
@@ -24,24 +24,7 @@
 <meta name="twitter:description" content="{{ if isset .Params "preview_description" }}{{ index .Params "preview_description" }}{{ else }}{{ .Params.Description }}{{ end }}" />
 <meta name="twitter:image" content="{{ if isset .Params "preview_image_url" }}{{ index .Params "preview_image_url" }}{{ else }}https://build.cfengine.com/module.png{{ end }}" />
 
-<script>
-    let gaInitialized = false;
-    document.addEventListener('cookieconsent_allowed', () => {
-        if (gaInitialized === true) return;
-        const script = document.createElement('script');
-        script.src = 'https://www.googletagmanager.com/gtag/js?id=G-TW89K2P8L4';
-        document.head.appendChild(script);
-        script.addEventListener('load', function () {
-            window.dataLayer = window.dataLayer || [];
-            function gtag() {
-                dataLayer.push(arguments);
-            }
-            gtag('js', new Date());
-            gtag('config', 'G-TW89K2P8L4');
-            gaInitialized = true;
-        });
-    });
-</script>
+<script src="{{ "js/cookie-consent-listener.js" | relURL }}"></script>
 </head>
 <body>