Add initial CSP configuration #1731
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
nmorduch
suggested changes
Sep 22, 2021
This set of changes configures the CSP based on my initial clicking around the website locally, looking for problems. Inevitably, there will be things I have missed (due to lack of exhaustive searching and differences between my environment and production). Because of this, I have set the CSP middleware to send "report-only" headers, meaning the actual functioning of the site will not be affected yet. It will report violations to a URI that we configure to receive that information, which we can then use to determine when we are ready to activate the CSP for real. I've set the CSP_REPORT_URI to send it to Sentry.io's service for receiving these reports in the Heroku settings.
This will prevent us from using up our Sentry.IO quota once this goes live in production.
|
Added a throttling of the CSP reporting to 5%, meaning only 5% of requests will see the report-uri directive, and the rest will not be reported at all. |
nmorduch
approved these changes
Sep 29, 2021
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Refs #1238
This set of changes configures the CSP based on my initial clicking around the website locally, looking for problems. Inevitably, there will be things I have missed (due to lack of exhaustive searching and differences between my environment and production). Because of this, I have set the CSP middleware to send "report-only" headers, meaning the actual functioning of the site will not be affected yet. It will report violations to a URI that we configure to receive that information, which we can then use to determine when we are ready to activate the CSP for real.
I've set the CSP_REPORT_URI to send it to Sentry.io's service for receiving these reports in the Heroku settings.
This change should be safe to deploy as it should not change what resources the browser loads at all, only reports them if they would violate the set of directives I've initially added.