colin
/
ploughshares
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Optimize CSP configuration to improve deployment speed by removing hash calculation
ci/woodpecker/push/woodpecker Pipeline was successful Details

This commit is contained in:
colin 2025-07-03 18:27:22 -04:00
parent b950dd2c2a
commit b581cfa204
3 changed files with 11 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
docker-compose.dev.yml
View File

@ -7,9 +7,9 @@ services:
dockerfile: Dockerfile dockerfile: Dockerfile
image: ploughshares:dev image: ploughshares:dev
ports: ports:
- "5005:5000" - "5005:5001"
environment: environment:
- FLASK_RUN_PORT=5000 - FLASK_RUN_PORT=5001
- FLASK_ENV=development - FLASK_ENV=development
- FLASK_DEBUG=1 - FLASK_DEBUG=1
- POSTGRES_HOST=db - POSTGRES_HOST=db

26
docker/ploughshares/Dockerfile
View File

@ -25,29 +25,17 @@ COPY static/ ./static/
# Create uploads directory # Create uploads directory
RUN mkdir -p uploads RUN mkdir -p uploads
# Calculate CSP hashes for static resources and create environment variables # Set default environment variables for CSP
RUN echo "Calculating CSP hashes for static resources..." && \ ENV CSP_JS_HASH="default_js_hash" \
# Calculate hash for JS files CSP_CSS_HASH="default_css_hash" \
JS_HASH=$(openssl dgst -sha256 -binary static/js/bootstrap.bundle.min.js | openssl base64) && \ CSP_CUSTOM_CSS_HASH="default_custom_css_hash"
echo "JS hash: $JS_HASH" && \
# Calculate hash for CSS files
CSS_HASH=$(openssl dgst -sha256 -binary static/css/bootstrap.min.css | openssl base64) && \
echo "CSS hash: $CSS_HASH" && \
CUSTOM_CSS_HASH=$(openssl dgst -sha256 -binary static/css/custom.css | openssl base64) && \
echo "Custom CSS hash: $CUSTOM_CSS_HASH" && \
# Export CSP hashes as environment variables directly
echo "export CSP_JS_HASH=\"$JS_HASH\"" > /app/csp_hashes.env && \
echo "export CSP_CSS_HASH=\"$CSS_HASH\"" >> /app/csp_hashes.env && \
echo "export CSP_CUSTOM_CSS_HASH=\"$CUSTOM_CSS_HASH\"" >> /app/csp_hashes.env && \
# Make the file executable
chmod +x /app/csp_hashes.env
# Set build argument for APP_VERSION # Set build argument for APP_VERSION
ARG APP_VERSION=unknown ARG APP_VERSION=unknown
ENV APP_VERSION=$APP_VERSION ENV APP_VERSION=$APP_VERSION
# Expose the port the app runs on # Expose the port the app runs on
EXPOSE 5000 EXPOSE 5001
# Command to run the application with CSP hashes # Command to run the application
CMD ["/bin/bash", "-c", "source /app/csp_hashes.env && exec python app.py"] CMD ["python", "app.py"]

6
docker/ploughshares/app.py
View File

@ -58,10 +58,8 @@ if CSP_CUSTOM_CSS_HASH:
# This is less secure but ensures compatibility with all clients # This is less secure but ensures compatibility with all clients
csp = { csp = {
'default-src': ["'self'", "'unsafe-inline'", "'unsafe-eval'", "data:", "blob:"], 'default-src': ["'self'", "'unsafe-inline'", "'unsafe-eval'", "data:", "blob:"],
'script-src': ["'self'", "'unsafe-inline'", "'unsafe-eval'"] + ([f"'sha256-{CSP_JS_HASH}'"] if CSP_JS_HASH else []), 'script-src': ["'self'", "'unsafe-inline'", "'unsafe-eval'"],
'style-src': ["'self'", "'unsafe-inline'"] + 'style-src': ["'self'", "'unsafe-inline'"],
([f"'sha256-{CSP_CSS_HASH}'"] if CSP_CSS_HASH else []) +
([f"'sha256-{CSP_CUSTOM_CSS_HASH}'"] if CSP_CUSTOM_CSS_HASH else []),
'img-src': ["'self'", "data:", "blob:"], 'img-src': ["'self'", "data:", "blob:"],
'font-src': ["'self'", "data:"], 'font-src': ["'self'", "data:"],
'connect-src': ["'self'", "*"], 'connect-src': ["'self'", "*"],