From 8ea5613371d9eb3690dbd276c3bea845f6b20b23 Mon Sep 17 00:00:00 2001
From: Aarthy Adityan <aarthy@datakitchen.io>
Date: Thu, 21 Aug 2025 16:50:45 -0400
Subject: [PATCH 1/2] fix(security): add headers

---
 observability_ui/apps/shell/src/index.html | 2 +-
 observability_ui/nginx.conf                | 8 +++++++-
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/observability_ui/apps/shell/src/index.html b/observability_ui/apps/shell/src/index.html
index 4f36106..25a778c 100644
--- a/observability_ui/apps/shell/src/index.html
+++ b/observability_ui/apps/shell/src/index.html
@@ -14,7 +14,7 @@
     <link href="https://fonts.googleapis.com/icon?family=Material+Icons" rel="stylesheet">
 
     <link rel="preload"
-      href="https://cdn.materialdesignicons.com/6.5.95/css/materialdesignicons.min.css"
+      href="https://cdn.jsdelivr.net/npm/@mdi/font@6.5.95/css/materialdesignicons.min.css"
       as="style"
       integrity="sha512-Zw6ER2h5+Zjtrej6afEKgS8G5kehmDAHYp9M2xf38MPmpUWX39VrYmdGtCrDQbdLQrTnBVT8/gcNhgS4XPgvEg=="
       crossorigin="anonymous"
diff --git a/observability_ui/nginx.conf b/observability_ui/nginx.conf
index 9b7b4fe..aadc9a5 100644
--- a/observability_ui/nginx.conf
+++ b/observability_ui/nginx.conf
@@ -65,7 +65,13 @@ http {
       try_files /shell$uri /shell/index.html =404;
 
       add_header X-Content-Type-Options nosniff always;
-      add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'nonce-${request_id}' https://cdn.jsdelivr.net; style-src 'self' 'unsafe-inline' https://cdn.materialdesignicons.com https://cdn.jsdelivr.net; img-src 'self' data:; font-src 'self' https://fonts.gstatic.com https://cdn.jsdelivr.net; frame-ancestors 'none'; connect-src 'self' https://fonts.gstatic.com https://cdn.materialdesignicons.com https://cdn.jsdelivr.net ${api_hostname}; ${csp_extra}" always;
+      add_header X-Frame-Options deny always;
+      add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+      add_header Referrer-Policy strict-origin-when-cross-origin;
+      add_header Permissions-Policy "attribution-reporting=(self),deferred-fetch=(self),deferred-fetch-minimal=(self),fullscreen=(self),storage-access=(self),web-share=(self),accelerometer=(),autoplay=(),bluetooth=(),camera=(),captured-surface-control=(),compute-pressure=(),cross-origin-isolated=(),display-capture=(),encrypted-media=(),gamepad=(),geolocation=(),gyroscope=(),hid=(),identity-credentials-get=(),idle-detection=(),language-detector=(),microphone=(),local-fonts=(),midi=(),otp-credentials=(),payment=(),picture-in-picture=(),publickey-credentials-create=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),summarizer=(),translator=(),usb=(),window-management=(),xr-spatial-tracking=()";
+      add_header Cross-Origin-Opener-Policy same-origin;
+      add_header Cross-Origin-Embedder-Policy require-corp;
+      add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'nonce-${request_id}' https://cdn.jsdelivr.net; style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net; img-src 'self' data:; font-src 'self' https://fonts.gstatic.com https://cdn.jsdelivr.net; frame-ancestors 'none'; connect-src 'self' https://fonts.gstatic.com https://cdn.jsdelivr.net ${api_hostname}; ${csp_extra}" always;
     }
   }
 }

From 410d52ba894dc04618b0bef0f385ce9cd123e1eb Mon Sep 17 00:00:00 2001
From: Aarthy Adityan <aarthy@datakitchen.io>
Date: Fri, 22 Aug 2025 13:43:43 -0400
Subject: [PATCH 2/2] fix(security): add cors header

---
 observability_ui/nginx.conf | 1 +
 1 file changed, 1 insertion(+)

diff --git a/observability_ui/nginx.conf b/observability_ui/nginx.conf
index aadc9a5..ab8d24e 100644
--- a/observability_ui/nginx.conf
+++ b/observability_ui/nginx.conf
@@ -70,6 +70,7 @@ http {
       add_header Referrer-Policy strict-origin-when-cross-origin;
       add_header Permissions-Policy "attribution-reporting=(self),deferred-fetch=(self),deferred-fetch-minimal=(self),fullscreen=(self),storage-access=(self),web-share=(self),accelerometer=(),autoplay=(),bluetooth=(),camera=(),captured-surface-control=(),compute-pressure=(),cross-origin-isolated=(),display-capture=(),encrypted-media=(),gamepad=(),geolocation=(),gyroscope=(),hid=(),identity-credentials-get=(),idle-detection=(),language-detector=(),microphone=(),local-fonts=(),midi=(),otp-credentials=(),payment=(),picture-in-picture=(),publickey-credentials-create=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),summarizer=(),translator=(),usb=(),window-management=(),xr-spatial-tracking=()";
       add_header Cross-Origin-Opener-Policy same-origin;
+      add_header Cross-Origin-Resource-Policy same-origin;
       add_header Cross-Origin-Embedder-Policy require-corp;
       add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'nonce-${request_id}' https://cdn.jsdelivr.net; style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net; img-src 'self' data:; font-src 'self' https://fonts.gstatic.com https://cdn.jsdelivr.net; frame-ancestors 'none'; connect-src 'self' https://fonts.gstatic.com https://cdn.jsdelivr.net ${api_hostname}; ${csp_extra}" always;
     }