Optimize CSP by calculating resource hashes during Docker build
ci/woodpecker/push/woodpecker Pipeline was successful
Details
ci/woodpecker/push/woodpecker Pipeline was successful
Details
This commit is contained in:
parent
9822bbd903
commit
26a36de4de
|
|
@ -25,8 +25,27 @@ COPY static/ ./static/
|
||||||
# Create uploads directory
|
# Create uploads directory
|
||||||
RUN mkdir -p uploads
|
RUN mkdir -p uploads
|
||||||
|
|
||||||
|
# Calculate CSP hashes for static resources
|
||||||
|
RUN echo "Calculating CSP hashes for static resources..." && \
|
||||||
|
# Calculate hash for JS files
|
||||||
|
JS_HASH=$(openssl dgst -sha256 -binary static/js/bootstrap.bundle.min.js | openssl base64) && \
|
||||||
|
echo "JS hash: $JS_HASH" && \
|
||||||
|
# Calculate hash for CSS files
|
||||||
|
CSS_HASH=$(openssl dgst -sha256 -binary static/css/bootstrap.min.css | openssl base64) && \
|
||||||
|
echo "CSS hash: $CSS_HASH" && \
|
||||||
|
CUSTOM_CSS_HASH=$(openssl dgst -sha256 -binary static/css/custom.css | openssl base64) && \
|
||||||
|
echo "Custom CSS hash: $CUSTOM_CSS_HASH" && \
|
||||||
|
# Create environment variables file for CSP hashes
|
||||||
|
echo "export CSP_JS_HASH=$JS_HASH" > /app/csp_hashes.env && \
|
||||||
|
echo "export CSP_CSS_HASH=$CSS_HASH" >> /app/csp_hashes.env && \
|
||||||
|
echo "export CSP_CUSTOM_CSS_HASH=$CUSTOM_CSS_HASH" >> /app/csp_hashes.env
|
||||||
|
|
||||||
|
# Set build argument for APP_VERSION
|
||||||
|
ARG APP_VERSION=unknown
|
||||||
|
ENV APP_VERSION=$APP_VERSION
|
||||||
|
|
||||||
# Expose the port the app runs on
|
# Expose the port the app runs on
|
||||||
EXPOSE 5001
|
EXPOSE 5001
|
||||||
|
|
||||||
# Command to run the application
|
# Command to run the application with CSP hashes
|
||||||
CMD ["python", "app.py"]
|
CMD ["/bin/bash", "-c", "source /app/csp_hashes.env && exec python app.py"]
|
||||||
|
|
@ -40,12 +40,27 @@ app.config['VERSION'] = VERSION
|
||||||
APP_DOMAIN = os.environ.get('APP_DOMAIN', '')
|
APP_DOMAIN = os.environ.get('APP_DOMAIN', '')
|
||||||
APP_ENV = os.environ.get('APP_ENV', 'development')
|
APP_ENV = os.environ.get('APP_ENV', 'development')
|
||||||
|
|
||||||
|
# Get CSP hashes from environment variables
|
||||||
|
CSP_JS_HASH = os.environ.get('CSP_JS_HASH', '')
|
||||||
|
CSP_CSS_HASH = os.environ.get('CSP_CSS_HASH', '')
|
||||||
|
CSP_CUSTOM_CSS_HASH = os.environ.get('CSP_CUSTOM_CSS_HASH', '')
|
||||||
|
|
||||||
|
# Log the CSP hashes
|
||||||
|
if CSP_JS_HASH:
|
||||||
|
logger.info(f"Using pre-calculated CSP hash for JS: sha256-{CSP_JS_HASH}")
|
||||||
|
if CSP_CSS_HASH:
|
||||||
|
logger.info(f"Using pre-calculated CSP hash for CSS: sha256-{CSP_CSS_HASH}")
|
||||||
|
if CSP_CUSTOM_CSS_HASH:
|
||||||
|
logger.info(f"Using pre-calculated CSP hash for custom CSS: sha256-{CSP_CUSTOM_CSS_HASH}")
|
||||||
|
|
||||||
# Configure security headers with Talisman
|
# Configure security headers with Talisman
|
||||||
# Base CSP settings - much more restrictive now that we use local resources
|
# Base CSP settings with pre-calculated hashes for static resources
|
||||||
csp = {
|
csp = {
|
||||||
'default-src': ["'self'"],
|
'default-src': ["'self'"],
|
||||||
'script-src': ["'self'"],
|
'script-src': ["'self'"] + ([f"'sha256-{CSP_JS_HASH}'"] if CSP_JS_HASH else []),
|
||||||
'style-src': ["'self'"],
|
'style-src': ["'self'"] +
|
||||||
|
([f"'sha256-{CSP_CSS_HASH}'"] if CSP_CSS_HASH else []) +
|
||||||
|
([f"'sha256-{CSP_CUSTOM_CSS_HASH}'"] if CSP_CUSTOM_CSS_HASH else []),
|
||||||
'img-src': ["'self'", "data:"],
|
'img-src': ["'self'", "data:"],
|
||||||
'font-src': ["'self'"],
|
'font-src': ["'self'"],
|
||||||
'connect-src': "'self'",
|
'connect-src': "'self'",
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue