From b581cfa20480a0057590f728736271c11eaea4c2 Mon Sep 17 00:00:00 2001 From: colin Date: Thu, 3 Jul 2025 18:27:22 -0400 Subject: [PATCH] Optimize CSP configuration to improve deployment speed by removing hash calculation --- docker-compose.dev.yml | 4 ++-- docker/ploughshares/Dockerfile | 26 +++++++------------------- docker/ploughshares/app.py | 6 ++---- 3 files changed, 11 insertions(+), 25 deletions(-) diff --git a/docker-compose.dev.yml b/docker-compose.dev.yml index 0d8926d..79e0f92 100644 --- a/docker-compose.dev.yml +++ b/docker-compose.dev.yml @@ -7,9 +7,9 @@ services: dockerfile: Dockerfile image: ploughshares:dev ports: - - "5005:5000" + - "5005:5001" environment: - - FLASK_RUN_PORT=5000 + - FLASK_RUN_PORT=5001 - FLASK_ENV=development - FLASK_DEBUG=1 - POSTGRES_HOST=db diff --git a/docker/ploughshares/Dockerfile b/docker/ploughshares/Dockerfile index 65d7ad6..78cc2b6 100644 --- a/docker/ploughshares/Dockerfile +++ b/docker/ploughshares/Dockerfile @@ -25,29 +25,17 @@ COPY static/ ./static/ # Create uploads directory RUN mkdir -p uploads -# Calculate CSP hashes for static resources and create environment variables -RUN echo "Calculating CSP hashes for static resources..." && \ - # Calculate hash for JS files - JS_HASH=$(openssl dgst -sha256 -binary static/js/bootstrap.bundle.min.js | openssl base64) && \ - echo "JS hash: $JS_HASH" && \ - # Calculate hash for CSS files - CSS_HASH=$(openssl dgst -sha256 -binary static/css/bootstrap.min.css | openssl base64) && \ - echo "CSS hash: $CSS_HASH" && \ - CUSTOM_CSS_HASH=$(openssl dgst -sha256 -binary static/css/custom.css | openssl base64) && \ - echo "Custom CSS hash: $CUSTOM_CSS_HASH" && \ - # Export CSP hashes as environment variables directly - echo "export CSP_JS_HASH=\"$JS_HASH\"" > /app/csp_hashes.env && \ - echo "export CSP_CSS_HASH=\"$CSS_HASH\"" >> /app/csp_hashes.env && \ - echo "export CSP_CUSTOM_CSS_HASH=\"$CUSTOM_CSS_HASH\"" >> /app/csp_hashes.env && \ - # Make the file executable - chmod +x /app/csp_hashes.env +# Set default environment variables for CSP +ENV CSP_JS_HASH="default_js_hash" \ + CSP_CSS_HASH="default_css_hash" \ + CSP_CUSTOM_CSS_HASH="default_custom_css_hash" # Set build argument for APP_VERSION ARG APP_VERSION=unknown ENV APP_VERSION=$APP_VERSION # Expose the port the app runs on -EXPOSE 5000 +EXPOSE 5001 -# Command to run the application with CSP hashes -CMD ["/bin/bash", "-c", "source /app/csp_hashes.env && exec python app.py"] \ No newline at end of file +# Command to run the application +CMD ["python", "app.py"] \ No newline at end of file diff --git a/docker/ploughshares/app.py b/docker/ploughshares/app.py index 8ee04f4..dd358e4 100644 --- a/docker/ploughshares/app.py +++ b/docker/ploughshares/app.py @@ -58,10 +58,8 @@ if CSP_CUSTOM_CSS_HASH: # This is less secure but ensures compatibility with all clients csp = { 'default-src': ["'self'", "'unsafe-inline'", "'unsafe-eval'", "data:", "blob:"], - 'script-src': ["'self'", "'unsafe-inline'", "'unsafe-eval'"] + ([f"'sha256-{CSP_JS_HASH}'"] if CSP_JS_HASH else []), - 'style-src': ["'self'", "'unsafe-inline'"] + - ([f"'sha256-{CSP_CSS_HASH}'"] if CSP_CSS_HASH else []) + - ([f"'sha256-{CSP_CUSTOM_CSS_HASH}'"] if CSP_CUSTOM_CSS_HASH else []), + 'script-src': ["'self'", "'unsafe-inline'", "'unsafe-eval'"], + 'style-src': ["'self'", "'unsafe-inline'"], 'img-src': ["'self'", "data:", "blob:"], 'font-src': ["'self'", "data:"], 'connect-src': ["'self'", "*"],