Skip to content

nginx/csp: enforce policy for central-backend#1859

Merged
alxndrsn merged 19 commits into
getodk:nextfrom
alxndrsn:enable-backend-csp
May 5, 2026
Merged

nginx/csp: enforce policy for central-backend#1859
alxndrsn merged 19 commits into
getodk:nextfrom
alxndrsn:enable-backend-csp

Conversation

@alxndrsn
Copy link
Copy Markdown
Contributor

@alxndrsn alxndrsn commented Apr 28, 2026
edited
Loading

Switch from Content-Security-Policy-Report-Only to Content-Security-Policy.

What has been done to verify that this works as intended?

  • Long-term monitoring of CSP reports.
  • updated tests

Why is this the best possible solution? Were any other approaches considered?

Could leave it off?

How does this change affect users? Describe intentional changes to behavior and behavior that could have accidentally been affected by code changes. In other words, what are the regression risks?

Should be low-impact for backend paths - almost none of them except OIDC-related paths are viewed in-browser or expected to have HTML content.

Does this change require updates to documentation? If so, please file an issue here and include the link below.

No.

Before submitting this PR, please make sure you have:

  • branched off and targeted the next branch OR only changed documentation/infrastructure (master is stable and used in production)
  • verified that any code or assets from external sources are properly credited in comments or that everything is internally sourced

@alxndrsn alxndrsn marked this pull request as ready for review April 28, 2026 12:51
alxndrsn
alxndrsn commented Apr 28, 2026
View reviewed changes
Comment thread files/nginx/odk.conf.template
alxndrsn
alxndrsn commented Apr 28, 2026
View reviewed changes
Comment thread test/nginx/mock-http-server/index.js
alxndrsn
alxndrsn commented Apr 28, 2026
View reviewed changes
Comment thread test/nginx/mock-http-server/index.js
matthew-white
matthew-white approved these changes Apr 29, 2026
View reviewed changes
Comment thread test/nginx/src/mocha/nginx.spec.js Outdated
Comment thread test/nginx/src/mocha/nginx.spec.js Outdated
alxndrsn
alxndrsn commented Apr 30, 2026
View reviewed changes
Comment thread test/nginx/src/mocha/nginx.spec.js Outdated
alxndrsn
alxndrsn commented Apr 30, 2026
View reviewed changes
Comment thread test/nginx/src/mocha/nginx.spec.js Outdated
@alxndrsn alxndrsn merged commit af64f1d into getodk:next May 5, 2026
6 checks passed
@alxndrsn alxndrsn deleted the enable-backend-csp branch May 5, 2026 12:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@matthew-white matthew-white matthew-white approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@alxndrsn @matthew-white