Legger til csp

Author: anders-nom

package-lock.json

@@ -23,6 +23,7 @@
     "@navikt/aksel-icons": "5.15.1",
     "@navikt/ds-css": "5.15.1",
     "@navikt/ds-react": "5.15.1",
+    "csp-header": "5.2.1",
     "lodash.debounce": "4.0.8",
     "react": "18.2.0",
     "react-dom": "18.2.0",

package.json

@@ -5,8 +5,9 @@
   "type": "module",
   "scripts": {
     "build": "esbuild src/server.ts --bundle --platform=node --packages=external --outfile=dist/server/server.cjs",
-    "start": "node ./dist/server/server.cjs",
-    "dev": "npm run build && concurrently \"npm run build -- --watch\" \"nodemon -w ./dist/server -w ../.env ./dist/server/server.cjs\""
+    "start": "node -r dotenv/config ./dist/server/server.cjs dotenv_config_path=../.env",
+    "nodemon-start": "nodemon -r dotenv/config -w ./dist/server -w ../.env ./dist/server/server.cjs dotenv_config_path=../.env",
+    "dev": "npm run build && concurrently \"npm run build -- --watch\" \"npm run nodemon-start\""
   },
   "dependencies": {
     "@opensearch-project/opensearch": "2.5.0",

server/package.json

@@ -6,6 +6,7 @@ import mime from 'mime';
 import { HtmlRenderer } from '../site/ssr/htmlRenderer';
 import { transformQueryToContentSearchParams } from '../opensearch/queries/contentSearch';
 import { CmsArchiveCategoriesService } from './CmsArchiveCategoriesService';
+import { cspMiddleware } from '../routing/csp';
 
 export type CmsArchiveSiteConfig = {
     name: string;
@@ -106,7 +107,7 @@ export class CmsArchiveSite {
     }
 
     private setupSiteRoutes(router: Router, htmlRenderer: HtmlRenderer) {
-        router.get('/:versionKey?', async (req, res) => {
+        router.get('/:versionKey?', cspMiddleware, async (req, res) => {
             const rootCategories = this.cmsArchiveCategoriesService.getRootCategories();
 
             const appContext = {
@@ -121,7 +122,7 @@ export class CmsArchiveSite {
             return res.send(html);
         });
 
-        router.get('/html/:versionKey', async (req, res) => {
+        router.get('/html/:versionKey', cspMiddleware, async (req, res) => {
             const { versionKey } = req.params;
 
             const version = await this.cmsArchiveContentService.getContentVersion(versionKey);

server/src/cms/CmsArchiveSite.ts

@@ -0,0 +1,27 @@
+import { RequestHandler } from 'express';
+import { DATA, getCSP, SELF, UNSAFE_EVAL, UNSAFE_INLINE } from 'csp-header';
+
+const HMR_HOST = 'localhost:24678';
+const NAV_CDN_HOST = 'https://cdn.nav.no';
+
+const csp = getCSP({
+    directives: {
+        'default-src': [SELF, DATA],
+        'script-src': [SELF, UNSAFE_INLINE, UNSAFE_EVAL],
+        'script-src-elem': [SELF, UNSAFE_INLINE],
+        'style-src': [SELF, UNSAFE_INLINE],
+        'style-src-elem': [SELF, UNSAFE_INLINE],
+        'font-src': [SELF, DATA, NAV_CDN_HOST],
+        'connect-src': [
+            SELF,
+            ...(process.env.NODE_ENV === 'development'
+                ? [`ws://${HMR_HOST}`, `http://${HMR_HOST}`]
+                : []),
+        ],
+    },
+});
+
+export const cspMiddleware: RequestHandler = (req, res, next) => {
+    res.setHeader('Content-Security-Policy', csp);
+    next();
+};

server/src/routing/csp.ts

@@ -1,7 +1,3 @@
-import dotenv from 'dotenv';
-
-dotenv.config({ path: '../.env' });
-
 import express from 'express';
 import compression from 'compression';
 import { setupErrorHandlers } from './routing/errorHandlers';