csp_policy_part_1

ensdomains · Sep 9, 2024 · 0b969dc · 0b969dc
1 parent 1d318d7
commit 0b969dc
Show file tree

Hide file tree

Showing 2 changed files with 113 additions and 121 deletions.
diff --git a/functions/_middleware.ts b/functions/_middleware.ts
@@ -55,22 +55,96 @@ const firefoxRewrite: PagesFunction = async ({ request, next }) => {
   const userAgent = request.headers.get('user-agent')?.toLowerCase()
   const response = await next()
 
+  // ****************************************************** CSP HEADERS DEFAULTS ******************************************************
+
+  // default headers
+  // response.headers.set(
+  //   'Content-Security-Policy',
+  //   "worker-src 'self'; script-src 'self' 'sha256-UyYcl+sKCF/ROFZPHBlozJrndwfNiC5KT5ZZfup/pPc=' https://*.googletagmanager.com plausible.io static.cloudflareinsights.com *.ens-app-v3.pages.dev https://app.intercom.io https://widget.intercom.io https://js.intercomcdn.com 'wasm-unsafe-eval'; frame-ancestors 'self' https://app.safe.global;",
+  // )
+
+  // Default policy for all resource types, restricts everything to the same origin ('self'). default-src 'self'
+
+  // Limits worker sources (Service Workers, Web Workers) to the same origin for security. worker-src 'self'
+
+  // Controls where scripts can be loaded from:
+  // - 'self' allows scripts from the same origin.
+  // - 'sha256-UyYcl+sKCF/ROFZPHBlozJrndwfNiC5KT5ZZfup/pPc=' is a specific inline script allowed by hash.
+  // - External trusted domains (e.g., Google Tag Manager, Plausible, Cloudflare, ENS, and Intercom).
+  // - 'wasm-unsafe-eval' allows WebAssembly execution using eval().
+
+  // Controls where styles (CSS) can be loaded from:
+  // - 'self' allows styles from the same origin.
+  // - 'unsafe-inline' permits inline styles (needed in some frameworks like React).
+  // - Allows external styles from Google Fonts.
+
+  // Limits image sources to:
+  // - 'self' allows images from the same origin.
+  // - 'data:' allows inline base64-encoded images (useful for certain cases).
+
+  // Controls where fonts can be loaded from:
+  // - 'self' allows fonts from the same origin.
+  // - Allows external fonts from Google Fonts.
+
+  // Disables plugins like Flash for enhanced security. object-src 'none'
+
+  // Ensures that forms can only submit data to the same origin. form-action 'self'
+
+  // Protects against clickjacking by allowing the site to be embedded only in frames on the same origin and on specific trusted domains (e.g., app.safe.global). frame-ancestors 'self' https://app.safe.global;
+
+  // Prevents setting a base URL, reducing the risk of injection attacks via the base element. base-uri 'self'
+
+  // Controls where the browser can make network requests:
+  // - 'self' allows network requests to the same origin.
+  // - Specific trusted external domains (e.g., IPFS, Ethereum, Infura) are permitted for API and data fetching.
+
+  // Ensures that all requests are upgraded from HTTP to HTTPS. upgrade-insecure-requests;
+
+  // Blocks any mixed content (e.g., loading HTTP resources on an HTTPS page) to ensure full security.
+
+  const defaultCSP = `
+  default-src 'self';
+  worker-src 'self';
+  script-src 'self' 'sha256-UyYcl+sKCF/ROFZPHBlozJrndwfNiC5KT5ZZfup/pPc=' https://*.googletagmanager.com plausible.io static.cloudflareinsights.com https://*.ens-app-v3.pages.dev https://app.intercom.io https://widget.intercom.io https://js.intercomcdn.com 'wasm-unsafe-eval';
+  style-src 'self' 'unsafe-inline' https://fonts.googleapis.com;
+  img-src 'self' data: https://*.ipfs.io  https://ipfs.euc.li  ipfs://*;
+  font-src 'self' https://fonts.googleapis.com;
+  object-src 'none';
+  form-action 'self';
+  frame-ancestors 'self' https://app.safe.global;
+  base-uri 'self';
+  connect-src 'self' https://*.ipfs.io https://*.ethereum.org https://mainnet.infura.io  https://ipfs.euc.li  ipfs://*;
+  upgrade-insecure-requests;
+  block-all-mixed-content;
+  `
+    .replace(/\s{2,}/g, ' ')
+    .trim()
+
+  response.headers.set('Content-Security-Policy', defaultCSP)
+
+  response.headers.set('X-Frame-Options', 'DENY') // Prevent clickjacking
+  response.headers.set('Strict-Transport-Security', 'max-age=63072000; includeSubDomains; preload') // Enforce HTTPS
+  response.headers.set(
+    'Permissions-Policy',
+    'camera=(), microphone=(), geolocation=(), payment=(), usb=(), fullscreen=()',
+  ) // Restrict browser features
+  response.headers.set('Referrer-Policy', 'no-referrer') // Strictest referrer policy
+  response.headers.set('X-Content-Type-Options', 'nosniff') // Prevent MIME type sniffing
+  response.headers.set('X-Permitted-Cross-Domain-Policies', 'none') // Restrict cross-domain policies
+  response.headers.set('Expect-CT', 'max-age=86400, enforce') // Ensure Certificate Transparency
+  response.headers.set(
+    'Cache-Control',
+    'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0',
+  ) // Secure cache management
+
+  // ****************************************************** CSP HEADERS FOR FIREFOX DEFAULTS ******************************************************
   // firefox CSP exception + metamask script
   if (userAgent?.includes('gecko/20100101') && userAgent.includes('firefox/')) {
-    response.headers.set(
-      'Content-Security-Policy',
-      "frame-ancestors 'self' https://app.safe.global;",
-    )
     return new HTMLRewriter()
       .on('head', new ScriptWriter('/_next/static/chunks/initialise-metamask.js'))
       .transform(response)
   }
 
-  // default headers
-  response.headers.set(
-    'Content-Security-Policy',
-    "worker-src 'self'; script-src 'self' 'sha256-UyYcl+sKCF/ROFZPHBlozJrndwfNiC5KT5ZZfup/pPc=' https://*.googletagmanager.com plausible.io static.cloudflareinsights.com *.ens-app-v3.pages.dev https://app.intercom.io https://widget.intercom.io https://js.intercomcdn.com 'wasm-unsafe-eval'; frame-ancestors 'self' https://app.safe.global;",
-  )
   return response
 }