Optimize CSP configuration to improve deployment speed by removing hash calculation

2025-07-03 18:27:22 -04:00 · 2025-07-03 18:27:22 -04:00 · b581cfa204
parent b950dd2c2a
commit b581cfa204
3 changed files with 11 additions and 25 deletions
--- a/docker-compose.dev.yml
+++ b/docker-compose.dev.yml
@ -7,9 +7,9 @@ services:
      dockerfile: Dockerfile
    image: ploughshares:dev
    ports:
-      - "5005:5000"
+      - "5005:5001"
    environment:
-      - FLASK_RUN_PORT=5000
+      - FLASK_RUN_PORT=5001
      - FLASK_ENV=development
      - FLASK_DEBUG=1
      - POSTGRES_HOST=db
--- a/docker/ploughshares/Dockerfile
+++ b/docker/ploughshares/Dockerfile
@ -25,29 +25,17 @@ COPY static/ ./static/
 # Create uploads directory
 RUN mkdir -p uploads

-# Calculate CSP hashes for static resources and create environment variables
-RUN echo "Calculating CSP hashes for static resources..." && \
-    # Calculate hash for JS files
-    JS_HASH=$(openssl dgst -sha256 -binary static/js/bootstrap.bundle.min.js | openssl base64) && \
-    echo "JS hash: $JS_HASH" && \
-    # Calculate hash for CSS files
-    CSS_HASH=$(openssl dgst -sha256 -binary static/css/bootstrap.min.css | openssl base64) && \
-    echo "CSS hash: $CSS_HASH" && \
-    CUSTOM_CSS_HASH=$(openssl dgst -sha256 -binary static/css/custom.css | openssl base64) && \
-    echo "Custom CSS hash: $CUSTOM_CSS_HASH" && \
-    # Export CSP hashes as environment variables directly
-    echo "export CSP_JS_HASH=\"$JS_HASH\"" > /app/csp_hashes.env && \
-    echo "export CSP_CSS_HASH=\"$CSS_HASH\"" >> /app/csp_hashes.env && \
-    echo "export CSP_CUSTOM_CSS_HASH=\"$CUSTOM_CSS_HASH\"" >> /app/csp_hashes.env && \
-    # Make the file executable
-    chmod +x /app/csp_hashes.env
+# Set default environment variables for CSP
+ENV CSP_JS_HASH="default_js_hash" \
+    CSP_CSS_HASH="default_css_hash" \
+    CSP_CUSTOM_CSS_HASH="default_custom_css_hash"

 # Set build argument for APP_VERSION
 ARG APP_VERSION=unknown
 ENV APP_VERSION=$APP_VERSION

 # Expose the port the app runs on
-EXPOSE 5000
+EXPOSE 5001

-# Command to run the application with CSP hashes
-CMD ["/bin/bash", "-c", "source /app/csp_hashes.env && exec python app.py"] 
+# Command to run the application
+CMD ["python", "app.py"] 
--- a/docker/ploughshares/app.py
+++ b/docker/ploughshares/app.py
@ -58,10 +58,8 @@ if CSP_CUSTOM_CSS_HASH:
 # This is less secure but ensures compatibility with all clients
 csp = {
    'default-src': ["'self'", "'unsafe-inline'", "'unsafe-eval'", "data:", "blob:"],
-    'script-src': ["'self'", "'unsafe-inline'", "'unsafe-eval'"] + ([f"'sha256-{CSP_JS_HASH}'"] if CSP_JS_HASH else []),
-    'style-src': ["'self'", "'unsafe-inline'"] + 
-                ([f"'sha256-{CSP_CSS_HASH}'"] if CSP_CSS_HASH else []) + 
-                ([f"'sha256-{CSP_CUSTOM_CSS_HASH}'"] if CSP_CUSTOM_CSS_HASH else []),
+    'script-src': ["'self'", "'unsafe-inline'", "'unsafe-eval'"],
+    'style-src': ["'self'", "'unsafe-inline'"],
    'img-src': ["'self'", "data:", "blob:"],
    'font-src': ["'self'", "data:"],
    'connect-src': ["'self'", "*"],