Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Content Security Policy builder #14

Merged
merged 11 commits into from Mar 1, 2019
Merged

Add Content Security Policy builder #14

merged 11 commits into from Mar 1, 2019

Conversation

cak
Copy link
Contributor

@cak cak commented Feb 14, 2019

  • Enhance the configuration of the Content Security Policy header
  • Add CSP Keywords
  • Add Report-To Directive
let cspConfig = ContentSecurityPolicy()
        .defaultSrc(sources: CSPKeywords.none)
        .scriptSrc(sources: "https://static.brokenhands.io")
        .styleSrc(sources: "https://static.brokenhands.io")
        .imgSrc(sources: "https://static.brokenhands.io")
        .fontSrc(sources: "https://static.brokenhands.io")
        .connectSrc(sources: "https://*.brokenhands.io")
        .formAction(sources: CSPKeywords.`self`)
        .upgradeInsecureRequests()
        .blockAllMixedContent()
        .requireSriFor(values: "script", "style")
        .reportUri(uri: "https://csp-report.brokenhands.io")
        
let securityHeaders = SecurityHeaders(contentSecurityPolicyConfiguration: cspConfig)
Content-Security-Policy: default-src 'none'; script-src https://static.brokenhands.io; style-src https://static.brokenhands.io; img-src https://static.brokenhands.io; font-src https://static.brokenhands.io; connect-src https://*.brokenhands.io; form-action 'self'; upgrade-insecure-requests; block-all-mixed-content; require-sri-for script style; report-uri https://csp-report.brokenhands.io

@cak
Add Content Security Policy builder
c025545 
- Adjust SecurityHeaders., SecurityHeadersFactory for new CSP builder
- Modify tests for new CSP builder
@cak
SwiftLint and SwiftFormat fixes
3fd068e 
- SwiftLint: (https://github.com/realm/SwiftLint)
- SwiftFormat (https://github.com/nicklockwood/SwiftFormat)
@cak
Mark ContentSecurityPolicy initializer and functions public
ca571ee
@cak
Make initializers and constants public
f6bdfa6 
- Mark CSPReportToEndpoint and CSPReportTo  initializers public
- Mark CSPKeywords static constants public
0xTim
0xTim requested changes Feb 14, 2019
View reviewed changes
Copy link
Member

@0xTim 0xTim left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks awesome! Few minor changes

Sources/VaporSecurityHeaders/Configurations/ContentSecurityPolicyConfiguration.swift Outdated Show resolved Hide resolved
README.md Outdated Show resolved Hide resolved
README.md Show resolved Hide resolved
README.md Show resolved Hide resolved
Sources/VaporSecurityHeaders/SecurityHeaders.swift Show resolved Hide resolved
Tests/VaporSecurityHeadersTests/HeaderTests.swift Outdated Show resolved Hide resolved
Tests/VaporSecurityHeadersTests/HeaderTests.swift Outdated Show resolved Hide resolved
Tests/VaporSecurityHeadersTests/HeaderTests.swift Show resolved Hide resolved
@cak
Add constructor override
176d8cd
@cak
README CSP updates
b9ecb99 
- Format CSP builder directives
- Add custom header via ContentSecurityPolicy().set(value) or ContentSecurityPolicyConfiguration(value)
- Fix configure CSP missing step
@cak
CSP test adjustments
f50d00f 
- Better names for constants
- Remove semicolon on expectedCSPHeaderValue
- Merge middleware test fix
@codecov
Copy link

codecov bot commented Feb 15, 2019
edited

Codecov Report

Merging #14 into master will not change coverage.
The diff coverage is 100%.

Impacted file tree graph

@@          Coverage Diff          @@
##           master    #14   +/-   ##
=====================================
  Coverage     100%   100%           
=====================================
  Files          10     10           
  Lines         130    218   +88     
=====================================
+ Hits          130    218   +88
Impacted Files Coverage Δ
Sources/VaporSecurityHeaders/SecurityHeaders.swift 100% <ø> (ø) ⬆️
...gurations/ContentSecurityPolicyConfiguration.swift 100% <100%> (ø) ⬆️
.../VaporSecurityHeaders/SecurityHeadersFactory.swift 100% <100%> (ø) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update a4435a8...75ffdfa. Read the comment docs.

@0xTim 0xTim self-assigned this Feb 21, 2019
@0xTim 0xTim merged commit beecf53 into brokenhandsio:master Mar 1, 2019
@0xTim 0xTim mentioned this pull request Mar 1, 2019
Closed
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@0xTim 0xTim 0xTim approved these changes

Assignees

@0xTim 0xTim

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@cak @0xTim