Improve security by hosting all resources locally and using system fonts

2025-07-03 14:18:16 -04:00 · 2025-07-03 14:18:16 -04:00 · f25ca7ffe0
parent 6a2dd63ad3
commit f25ca7ffe0
5 changed files with 135 additions and 71 deletions
--- a/docker/ploughshares/app.py
+++ b/docker/ploughshares/app.py
@ -41,21 +41,13 @@ APP_DOMAIN = os.environ.get('APP_DOMAIN', '')
 APP_ENV = os.environ.get('APP_ENV', 'development')

 # Configure security headers with Talisman
-# Base CSP settings
+# Base CSP settings - much more restrictive now that we use local resources
 csp = {
    'default-src': ["'self'"],
-    'script-src': [
-        "'self'", 
-        "'unsafe-inline'",
-        "https://cdn.jsdelivr.net/",
-    ],
-    'style-src': [
-        "'self'", 
-        "'unsafe-inline'",
-        "https://cdn.jsdelivr.net/",
-    ],
-    'img-src': ["'self'", "data:", "https:"],
-    'font-src': ["'self'", "data:", "https://cdn.jsdelivr.net/"],
+    'script-src': ["'self'"],
+    'style-src': ["'self'"],
+    'img-src': ["'self'", "data:"],
+    'font-src': ["'self'"],
    'connect-src': "'self'",
    'object-src': "'none'",
    'frame-ancestors': "'none'",
--- a/docker/ploughshares/static/css/bootstrap.min.css
+++ b/docker/ploughshares/static/css/bootstrap.min.css
--- a/docker/ploughshares/static/css/custom.css
+++ b/docker/ploughshares/static/css/custom.css
@ -0,0 +1,114 @@
+/* Custom styles for Ploughshares application */
+
+/* System font stack */
+body {
+    font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen-Sans, Ubuntu, Cantarell, "Helvetica Neue", sans-serif;
+    padding-top: 20px;
+    padding-bottom: 20px;
+}
+
+/* Header styles */
+.header {
+    border-bottom: 1px solid #e5e5e5;
+    margin-bottom: 30px;
+}
+
+.header h3 {
+    margin-top: 0;
+    margin-bottom: 0;
+    line-height: 40px;
+}
+
+/* Footer styles */
+.footer {
+    padding-top: 19px;
+    color: #777;
+    border-top: 1px solid #e5e5e5;
+    margin-top: 30px;
+}
+
+/* Form styles */
+.form-group {
+    margin-bottom: 15px;
+}
+
+/* Card styles */
+.document-card {
+    margin-bottom: 15px;
+}
+
+/* Logo styles */
+.logo {
+    max-height: 40px;
+    margin-right: 10px;
+}
+
+.navbar-brand {
+    display: flex;
+    align-items: center;
+}
+
+/* Currency styles */
+.currency-value {
+    font-weight: 600;
+    color: #28a745;
+}
+
+.amount-cell {
+    text-align: right;
+}
+
+td.amount-cell {
+    text-align: right;
+}
+
+/* Version display */
+.version {
+    font-size: 0.8em;
+    color: #999;
+}
+
+/* Navigation styles */
+.navbar-nav {
+    gap: 1rem;
+}
+
+.nav-item {
+    margin: 0 0.5rem;
+}
+
+/* Button icons using Unicode symbols */
+.btn-add::before {
+    content: "➕ ";
+}
+
+.btn-edit::before {
+    content: "✏️ ";
+}
+
+.btn-delete::before {
+    content: "🗑️ ";
+}
+
+.btn-view::before {
+    content: "👁️ ";
+}
+
+/* Navbar toggle button */
+.navbar-toggler-icon {
+    background-image: none;
+    position: relative;
+}
+
+.navbar-toggler-icon::before {
+    content: "☰";
+    font-size: 1.5rem;
+    position: absolute;
+    top: 0;
+    left: 0;
+    width: 100%;
+    height: 100%;
+    display: flex;
+    align-items: center;
+    justify-content: center;
+} 
--- a/docker/ploughshares/static/js/bootstrap.bundle.min.js
+++ b/docker/ploughshares/static/js/bootstrap.bundle.min.js
--- a/docker/ploughshares/templates/base.html
+++ b/docker/ploughshares/templates/base.html
@ -5,63 +5,8 @@
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>{% block title %}Project Ploughshares - Transaction Management System{% endblock %}</title>
    <link rel="icon" type="image/x-icon" href="{{ url_for('static', filename='favicon.ico') }}">
-    <link href="https://cdn.jsdelivr.net/npm/bootstrap@5.3.0/dist/css/bootstrap.min.css" rel="stylesheet">
-    <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/bootstrap-icons@1.10.0/font/bootstrap-icons.css">
-    <style>
-        body {
-            padding-top: 20px;
-            padding-bottom: 20px;
-        }
-        .header {
-            border-bottom: 1px solid #e5e5e5;
-            margin-bottom: 30px;
-        }
-        .header h3 {
-            margin-top: 0;
-            margin-bottom: 0;
-            line-height: 40px;
-        }
-        .footer {
-            padding-top: 19px;
-            color: #777;
-            border-top: 1px solid #e5e5e5;
-            margin-top: 30px;
-        }
-        .form-group {
-            margin-bottom: 15px;
-        }
-        .document-card {
-            margin-bottom: 15px;
-        }
-        .logo {
-            max-height: 40px;
-            margin-right: 10px;
-        }
-        .navbar-brand {
-            display: flex;
-            align-items: center;
-        }
-        .currency-value {
-            font-weight: 600;
-            color: #28a745;
-        }
-        .amount-cell {
-            text-align: right;
-        }
-        td:has(.currency-value) {
-            text-align: right;
-        }
-        .version {
-            font-size: 0.8em;
-            color: #999;
-        }
-        .navbar-nav {
-            gap: 1rem;
-        }
-        .nav-item {
-            margin: 0 0.5rem;
-        }
-    </style>
+    <link rel="stylesheet" href="{{ url_for('static', filename='css/bootstrap.min.css') }}">
+    <link rel="stylesheet" href="{{ url_for('static', filename='css/custom.css') }}">
 </head>
 <body>
    <div class="container">
@ -110,7 +55,7 @@
        </footer>
    </div>

-    <script src="https://cdn.jsdelivr.net/npm/bootstrap@5.3.0/dist/js/bootstrap.bundle.min.js"></script>
+    <script src="{{ url_for('static', filename='js/bootstrap.bundle.min.js') }}"></script>
    {% block scripts %}{% endblock %}
 </body>
 </html>