diff --git a/backend/env.yml b/backend/env.yml index f188883c..ba97bb44 100644 --- a/backend/env.yml +++ b/backend/env.yml @@ -9,6 +9,10 @@ staging: DB_NAME: ${ssm:/crossfeed/staging/DATABASE_NAME} DB_USERNAME: ${ssm:/crossfeed/staging/DATABASE_USER} DB_PASSWORD: ${ssm:/crossfeed/staging/DATABASE_PASSWORD} + CORS_MAIN: ${ssm:/crossfeed/staging/CORS_MAIN} + CORS_DOCS: ${ssm:/crossfeed/staging/CORS_DOCS} + CSP_MAIN: ${ssm:/crossfeed/staging/CSP_MAIN} + CSP_DOCS: ${ssm:/crossfeed/staging/CSP_DOCS} MDL_USERNAME: ${ssm:/crossfeed/staging/MDL_USERNAME} MDL_PASSWORD: ${ssm:/crossfeed/staging/MDL_PASSWORD} MDL_NAME: ${ssm:/crossfeed/staging/MDL_NAME} @@ -64,6 +68,10 @@ prod: DB_NAME: ${ssm:/crossfeed/prod/DATABASE_NAME} DB_USERNAME: ${ssm:/crossfeed/prod/DATABASE_USER} DB_PASSWORD: ${ssm:/crossfeed/prod/DATABASE_PASSWORD} + CORS_MAIN: ${ssm:/crossfeed/prod/CORS_MAIN} + CORS_DOCS: ${ssm:/crossfeed/prod/CORS_DOCS} + CSP_MAIN: ${ssm:/crossfeed/prod/CSP_MAIN} + CSP_DOCS: ${ssm:/crossfeed/prod/CSP_DOCS} MDL_USERNAME: ${ssm:/crossfeed/prod/MDL_USERNAME} MDL_PASSWORD: ${ssm:/crossfeed/prod/MDL_PASSWORD} MDL_NAME: ${ssm:/crossfeed/prod/MDL_NAME} diff --git a/backend/src/api/app.ts b/backend/src/api/app.ts index 57f3f16f..cc6739ca 100644 --- a/backend/src/api/app.ts +++ b/backend/src/api/app.ts @@ -70,32 +70,12 @@ app.use( app.use(express.json({ strict: false })); -app.use( - cors({ - origin: '*', - methods: ['GET', 'POST', 'PUT', 'DELETE', 'OPTIONS'] - }) -); +const { origin, methods } = JSON.parse(process.env.CORS_MAIN!); +app.use(cors({ origin, methods })); app.use( helmet({ - contentSecurityPolicy: { - directives: { - defaultSrc: [ - "'self'", - 'https://cognito-idp.us-east-1.amazonaws.com', - 'https://api.staging-cd.crossfeed.cyber.dhs.gov' - ], - objectSrc: ["'none'"], - scriptSrc: [ - "'self'", - 'https://api.staging-cd.crossfeed.cyber.dhs.gov' - // Add any other allowed script sources here - ], - frameAncestors: ["'none'"] - // Add other directives as needed - } - }, + contentSecurityPolicy: JSON.parse(process.env.CSP_MAIN!), hsts: { maxAge: 31536000, includeSubDomains: true, diff --git a/dev.env.example b/dev.env.example index 56dc76ad..20c705b6 100644 --- a/dev.env.example +++ b/dev.env.example @@ -6,6 +6,11 @@ DB_PASSWORD=password DB_NAME=crossfeed JWT_SECRET=CHANGE_ME +CORS_MAIN={"origin":"http://localhost","methods":"GET,POST,PUT,DELETE,OPTIONS"} +CORS_DOCS={"origin":"http://localhost","methods":"GET"} +CSP_MAIN={"directives":{"defaultSrc":["'self'","http://localhost"],"frameSrc":["'self'","https://www.dhs.gov/ntas/"],"imgSrc":["'self'","http://localhost","https://www.dhs.gov"],"objectSrc":["'none'"],"scriptSrc":["'self'","http://localhost","https://www.dhs.gov"],"frameAncestors":["'none'"]}} +CSP_DOCS={"directives":{"baseUri":["'none'"],"defaultSrc":["'self'"],"frameAncestors":["'none'"],"objectSrc":["'none'"],"scriptSrc":["'none'"]}} + MDL_USERNAME=mdl MDL_PASSWORD=password MDL_NAME=crossfeed_mini_datalake diff --git a/frontend/scripts/api.js b/frontend/scripts/api.js index 9dcc23d8..e46b7b6e 100644 --- a/frontend/scripts/api.js +++ b/frontend/scripts/api.js @@ -5,7 +5,6 @@ import cors from 'cors'; import helmet from 'helmet'; import express from 'express'; import path from 'path'; -import { ALLOW_ORIGIN, ALLOW_METHODS } from './constants.js'; export const app = express(); @@ -17,27 +16,25 @@ app.use((req, res, next) => { next(); }); -app.use(cors({ origin: ALLOW_ORIGIN, methods: ALLOW_METHODS })); +app.use(express.json({ strict: false })); + +const { origin, methods } = JSON.parse(process.env.CORS_MAIN); +app.use(cors({ origin, methods })); + +app.use( + helmet({ + contentSecurityPolicy: JSON.parse(process.env.CSP_MAIN), + hsts: { + maxAge: 31536000, + includeSubDomains: true, + preload: true + } + }) +); app.use( helmet({ - contentSecurityPolicy: { - directives: { - defaultSrc: [ - "'self'", - 'https://cognito-idp.us-east-1.amazonaws.com', - 'https://api.staging-cd.crossfeed.cyber.dhs.gov' - ], - objectSrc: ["'none'"], - scriptSrc: [ - "'self'", - 'https://api.staging-cd.crossfeed.cyber.dhs.gov' - // Add any other allowed script sources here - ], - frameAncestors: ["'none'"] - // Add other directives as needed - } - }, + contentSecurityPolicy: JSON.parse(process.env.CSP_MAIN), hsts: { maxAge: 31536000, includeSubDomains: true, diff --git a/frontend/scripts/constants.js b/frontend/scripts/constants.js deleted file mode 100644 index 3520ae39..00000000 --- a/frontend/scripts/constants.js +++ /dev/null @@ -1,3 +0,0 @@ -//CORS Options -export const ALLOW_ORIGIN = '*'; -export const ALLOW_METHODS = ['GET', 'POST', 'PUT', 'DELETE', 'OPTIONS']; diff --git a/frontend/scripts/docs.js b/frontend/scripts/docs.js index b3ef5d65..a74b9da1 100644 --- a/frontend/scripts/docs.js +++ b/frontend/scripts/docs.js @@ -4,7 +4,6 @@ import path from 'path'; import rateLimit from 'express-rate-limit'; import cors from 'cors'; import helmet from 'helmet'; -import { ALLOW_ORIGIN, ALLOW_METHODS } from './constants.js'; export const app = express(); @@ -17,19 +16,16 @@ app.use( app.use(express.static(path.join(__dirname, '../docs/build'))); -app.use(cors({ origin: ALLOW_ORIGIN, methods: ALLOW_METHODS })); - +const { origin, methods } = JSON.parse(process.env.CORS_DOCS); +app.use( + cors({ + origin, + methods + }) +); app.use( helmet({ - contentSecurityPolicy: { - directives: { - baseUri: ["'none'"], - defaultSrc: ["'self'"], - frameAncestors: ["'none'"], - objectSrc: ["'none'"], - scriptSrc: ["'none'"] - } - }, + contentSecurityPolicy: JSON.parse(process.env.CSP_DOCS), hsts: { maxAge: 31536000, includeSubDomains: true, preload: true }, xFrameOptions: 'DENY' })