Define Content-Security-Policy header to block inline JavaScript

also define the same headers in middleware during testing and development to avoid building a container for every change
kiwitcms · Mar 8, 2023 · 6617cee · 6617cee
1 parent ba358cb
commit 6617cee
Show file tree

Hide file tree

Showing 4 changed files with 27 additions and 1 deletion.
diff --git a/etc/nginx.conf b/etc/nginx.conf
@@ -62,8 +62,10 @@ http {
         server unix:///tmp/kiwitcms.sock;
     }
 
+    # WARNING: make sure these match tcms.core.middleware.ExtraHeadersMiddleware
     add_header X-Frame-Options DENY;
     add_header X-Content-Type-Options nosniff;
+    add_header Content-Security-Policy "script-src 'self' cdn.crowdin.com;";
 
     server {
         listen       8080;

diff --git a/tcms/core/middleware.py b/tcms/core/middleware.py
@@ -18,3 +18,20 @@ def process_request(self, request):
             # Redirect to Setup view
             return HttpResponseRedirect(reverse("init-db"))
         return None
+
+
+class ExtraHeadersMiddleware(MiddlewareMixin):
+    """
+    This is enabled only during testing and development. The actual headers
+    are configured in `etc/nginx.conf`!
+    """
+
+    def process_response(self, request, response):
+        if settings.DEBUG:
+            response.headers["X-Frame-Options"] = "DENY"
+            response.headers["X-Content-Type-Options"] = "nosniff"
+            response.headers[
+                "Content-Security-Policy"
+            ] = "script-src 'self' cdn.crowdin.com;"
+
+        return response
diff --git a/tcms/settings/devel.py b/tcms/settings/devel.py
@@ -30,7 +30,10 @@
 }
 # django-debug-toolbar settings
 
-MIDDLEWARE += ["debug_toolbar.middleware.DebugToolbarMiddleware"]  # noqa: F405
+MIDDLEWARE += [  # noqa: F405
+    "debug_toolbar.middleware.DebugToolbarMiddleware",
+    "tcms.core.middleware.ExtraHeadersMiddleware",
+]
 
 INSTALLED_APPS += ["debug_toolbar"]  # noqa: F405
 

diff --git a/tests/test_http.sh b/tests/test_http.sh
@@ -87,6 +87,10 @@ _EOF_
         rlRun -t -c "curl -k -D- https://localhost 2>/dev/null | grep 'X-Content-Type-Options: nosniff'"
     rlPhaseEnd
 
+    rlPhaseStartTest "Should send Content-Security-Policy header"
+        rlRun -t -c "curl -k -D- https://localhost 2>/dev/null | grep $'Content-Security-Policy: script-src \'self\' cdn.crowdin.com;'"
+    rlPhaseEnd
+
     rlPhaseStartTest "Performance baseline for /accounts/register/"
         exec_wrk "https://localhost/accounts/login/" "$WRK_DIR" "register-account-page"
     rlPhaseEnd