Add environment variables for CSP configuration across different environments

docker-compose.dev.yml

@@ -17,6 +17,7 @@ services:
       - POSTGRES_DB=ploughshares
       - POSTGRES_USER=ploughshares
       - POSTGRES_PASSWORD=ploughshares_password
+      - APP_ENV=development
     depends_on:
       db:
         condition: service_healthy

docker-compose.yml

@@ -18,6 +18,7 @@ services:
       - POSTGRES_USER=ploughshares
       - POSTGRES_PASSWORD=ploughshares_password
       - APP_VERSION=0.1.2
+      - APP_ENV=development
     depends_on:
       db:
         condition: service_healthy

docker/ploughshares/app.py

@@ -36,7 +36,12 @@ app.secret_key = 'supersecretkey'
 app.config['UPLOAD_FOLDER'] = 'uploads'
 app.config['VERSION'] = VERSION
 
+# Get domain configuration from environment
+APP_DOMAIN = os.environ.get('APP_DOMAIN', '')
+APP_ENV = os.environ.get('APP_ENV', 'development')
+
 # Configure security headers with Talisman
+# Base CSP settings
 csp = {
     'default-src': "'none'",
     'script-src': ["'self'", 
@@ -53,6 +58,23 @@ csp = {
     'form-action': "'self'"
 }
 
+# Add domain-specific CSP settings if domain is provided
+if APP_DOMAIN:
+    logger.info(f"Configuring CSP for domain: {APP_DOMAIN}")
+    # Add domain to connect-src if needed
+    if APP_DOMAIN not in csp['connect-src']:
+        if isinstance(csp['connect-src'], list):
+            csp['connect-src'].append(APP_DOMAIN)
+        else:
+            csp['connect-src'] = [csp['connect-src'], APP_DOMAIN]
+    
+    # Update form-action to include the domain
+    if isinstance(csp['form-action'], list):
+        if APP_DOMAIN not in csp['form-action']:
+            csp['form-action'].append(APP_DOMAIN)
+    else:
+        csp['form-action'] = [csp['form-action'], APP_DOMAIN]
+
 permissions_policy = {
     'accelerometer': '()',
     'camera': '()',
@@ -64,21 +86,25 @@ permissions_policy = {
     'usb': '()'
 }
 
+# Determine if HTTPS should be forced based on environment
+force_https = APP_ENV != 'development'
+logger.info(f"Environment: {APP_ENV}, Force HTTPS: {force_https}")
+
 # Initialize Talisman
 talisman = Talisman(
     app,
     content_security_policy=csp,
     content_security_policy_nonce_in=['script-src'],
     feature_policy=permissions_policy,
-    force_https=True,
+    force_https=force_https,
-    force_https_permanent=True,
+    force_https_permanent=force_https,
-    strict_transport_security=True,
+    strict_transport_security=force_https,
-    strict_transport_security_preload=True,
+    strict_transport_security_preload=force_https,
     strict_transport_security_max_age=31536000,
-    strict_transport_security_include_subdomains=True,
+    strict_transport_security_include_subdomains=force_https,
     referrer_policy='strict-origin-when-cross-origin',
     frame_options='DENY',
-    session_cookie_secure=True,
+    session_cookie_secure=force_https,
     session_cookie_http_only=True
 )
 

stack.production.yml

@@ -32,6 +32,8 @@ services:
       - POSTGRES_DB=ploughshares
       - POSTGRES_USER=ploughshares
       - POSTGRES_PASSWORD=ploughshares_password
+      - APP_DOMAIN=https://ploughshares.nixc.us
+      - APP_ENV=production
     networks:
       - traefik
       - ploughshares-internal

stack.staging.yml

@@ -29,6 +29,8 @@ services:
       - POSTGRES_DB=ploughshares
       - POSTGRES_USER=ploughshares
       - POSTGRES_PASSWORD_FILE=/run/secrets/db_password_staging
+      - APP_DOMAIN=https://staging-ploughshares.nixc.us
+      - APP_ENV=staging
     networks:
       - traefik
       - ploughshares-internal