Module: CoalescingPanda::SecureHeaders

Defined in:
lib/coalescing_panda/secure_headers.rb

Class Method Summary collapse

Class Method Details

.apply_defaults(config) ⇒ Object



3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
# File 'lib/coalescing_panda/secure_headers.rb', line 3

def self.apply_defaults(config)
  @config = config
  # The default cookie headers aren't compatable with CoalescingPanda cookies currenntly
  config.cookies = { samesite: { none: true } }

  if Rails.env.production?
    config.cookies[:secure] = true
  end

  # Need to allow LTI iframes
  config.x_frame_options = "ALLOWALL"

  config.x_content_type_options = "nosniff"
  config.x_xss_protection = "1; mode=block"
  config.referrer_policy = %w(origin-when-cross-origin strict-origin-when-cross-origin)

  config.csp ||= {}

  csp_entry(:default_src, %w['self'])
  csp_entry(:connect_src, %w['self'])
  csp_entry(:script_src, %w['self'])

  if Rails.env.development?
    # Allow webpack-dev-server to work
    csp_entry(:connect_src, "http://localhost:3035")
    csp_entry(:connect_src, "ws://localhost:3035")

    # Allow stuff like rack-mini-profiler to work in development:
    # https://github.com/MiniProfiler/rack-mini-profiler/issues/327
    # DON'T ENABLE THIS FOR PRODUCTION!
    csp_entry(:script_src, "'unsafe-eval'")

    # Detect and permit Scout APM in Dev
    if MiscHelper.to_boolean(ENV['SCOUT_DEV_TRACE'])
      csp_entry(:default_src, 'https://scoutapm.com')
      csp_entry(:default_src, 'https://apm.scoutapp.com')

      csp_entry(:script_src, "'unsafe-inline'")
      csp_entry(:script_src, 'https://scoutapm.com')
      csp_entry(:script_src, 'https://apm.scoutapp.com')

      csp_entry(:connect_src, 'https://apm.scoutapp.com')

      csp_entry(:style_src, 'https://scoutapm.com')
      csp_entry(:style_src, 'https://apm.scoutapp.com')
    end
  end

  # Detect and permit Sentry
  if defined?(Raven) && Raven.configuration.server.present?
    csp_entry(:connect_src, Raven.configuration.server)

    # Report CSP Violations to Sentry
    unless config.csp[:report_uri].present?
      cfg = Raven.configuration
      config.csp[:report_uri] = ["#{cfg.scheme}://#{cfg.host}/api/#{cfg.project_id}/security/?sentry_key=#{cfg.public_key}"] unless config.csp[:report_uri].present?
    end
  end

  # Certain CSS-in-JS libraries inline the CSS, so we need to use unsafe-inline for them
  csp_entry(:style_src, %w('self' 'unsafe-inline' blob: https://fonts.googleapis.com))
  csp_entry(:font_src, %w('self' data: https://fonts.gstatic.com))

  @config = nil

  config
end