From 8e362cb3d58a6e20f10a09369ca63fc61f2441e2 Mon Sep 17 00:00:00 2001 From: Kirstie <39728053+epixieme@users.noreply.github.com> Date: Tue, 27 Aug 2024 10:35:07 +0100 Subject: [PATCH 1/2] chore: Update Content-Security-Policy header in nginx.config --- nginx.config | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nginx.config b/nginx.config index 539977bf..93f39b4c 100644 --- a/nginx.config +++ b/nginx.config @@ -8,13 +8,13 @@ server { location / { try_files $$uri /index.html; } - + add_header Content-Security-Policy "default-src 'self'; frame-src https://www.google.com/; script-src 'self' https://www.googletagmanager.com/ https://*.google-analytics.com https://*.analytics.google.com https://www.google.com/ https://www.gstatic.com/ 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' https://*.typekit.net https://fonts.googleapis.com; img-src * www.googletagmanager.com 'self' data: https; font-src 'self' *.typekit.net fonts.googleapis.com fonts.gstatic.com; connect-src 'self' https://*.okta.com https://app-backend-test-001.azurewebsites.net https://app-backend-prod-001.azurewebsites.net https://sentry.io https://o1287611.ingest.sentry.io/api/6526369/envelope/?sentry_key=b0ca2fb00555461ba86f659a99cceb37&sentry_version=7 https://o1287611.ingest.sentry.io/api/6526369/security/?sentry_key=b0ca2fb00555461ba86f659a99cceb37; report-uri https://o1287611.ingest.sentry.io/api/6526369/security/?sentry_key=b0ca2fb00555461ba86f659a99cceb37;"; add_header Referrer-Policy "no-referrer, strict-origin-when-cross-origin"; add_header Strict-Transport-Security "max-age=63072000; includeSubDomains"; add_header X-Content-Type-Options nosniff; add_header X-Frame-Options DENY; add_header X-XSS-Protection "1; mode=block"; add_header Feature-Policy "accelerometer 'none'; camera 'none'; microphone 'none'"; - add_header Content-Security-Policy "script-src 'self' https://www.googletagmanager.com/ https://accounts.google.com/gsi/client https://*.google-analytics.com https://*.analytics.google.com https://www.google.com/ https://www.gstatic.com/ https://accounts.google.com 'unsafe-inline' 'unsafe-eval'"; + } From 6c142b0764d4b8c7dd2fa7fa2e49bc105c2fa4f7 Mon Sep 17 00:00:00 2001 From: Kirstie <39728053+epixieme@users.noreply.github.com> Date: Tue, 27 Aug 2024 10:38:09 +0100 Subject: [PATCH 2/2] adding accounts.google to the csm line --- nginx.config | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nginx.config b/nginx.config index 93f39b4c..c3c13a08 100644 --- a/nginx.config +++ b/nginx.config @@ -8,7 +8,7 @@ server { location / { try_files $$uri /index.html; } - add_header Content-Security-Policy "default-src 'self'; frame-src https://www.google.com/; script-src 'self' https://www.googletagmanager.com/ https://*.google-analytics.com https://*.analytics.google.com https://www.google.com/ https://www.gstatic.com/ 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' https://*.typekit.net https://fonts.googleapis.com; img-src * www.googletagmanager.com 'self' data: https; font-src 'self' *.typekit.net fonts.googleapis.com fonts.gstatic.com; connect-src 'self' https://*.okta.com https://app-backend-test-001.azurewebsites.net https://app-backend-prod-001.azurewebsites.net https://sentry.io https://o1287611.ingest.sentry.io/api/6526369/envelope/?sentry_key=b0ca2fb00555461ba86f659a99cceb37&sentry_version=7 https://o1287611.ingest.sentry.io/api/6526369/security/?sentry_key=b0ca2fb00555461ba86f659a99cceb37; report-uri https://o1287611.ingest.sentry.io/api/6526369/security/?sentry_key=b0ca2fb00555461ba86f659a99cceb37;"; + add_header Content-Security-Policy "default-src 'self'; frame-src https://www.google.com/; script-src 'self' https://www.googletagmanager.com/ https://*.google-analytics.com https://*.analytics.google.com https://www.google.com/ https://www.gstatic.com/ https://accounts.google.com 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' https://*.typekit.net https://fonts.googleapis.com; img-src * www.googletagmanager.com 'self' data: https; font-src 'self' *.typekit.net fonts.googleapis.com fonts.gstatic.com; connect-src 'self' https://*.okta.com https://app-backend-test-001.azurewebsites.net https://app-backend-prod-001.azurewebsites.net https://sentry.io https://o1287611.ingest.sentry.io/api/6526369/envelope/?sentry_key=b0ca2fb00555461ba86f659a99cceb37&sentry_version=7 https://o1287611.ingest.sentry.io/api/6526369/security/?sentry_key=b0ca2fb00555461ba86f659a99cceb37; report-uri https://o1287611.ingest.sentry.io/api/6526369/security/?sentry_key=b0ca2fb00555461ba86f659a99cceb37;"; add_header Referrer-Policy "no-referrer, strict-origin-when-cross-origin"; add_header Strict-Transport-Security "max-age=63072000; includeSubDomains"; add_header X-Content-Type-Options nosniff;