adding proper CSP header plug and setting ignore config for mix sobelow

This commit is contained in:
Adam Piontek 2021-04-06 18:40:08 -04:00
parent 10fbc6732b
commit c7ef111ebe
3 changed files with 35 additions and 0 deletions

12
.sobelow-conf Normal file
View file

@ -0,0 +1,12 @@
[
verbose: true,
private: false,
skip: false,
router: "",
exit: "low",
format: "txt",
out: "",
threshold: "low",
ignore: ["Config.CSP", "Config.HTTPS"],
ignore_files: [""]
]

View file

@ -0,0 +1,21 @@
defmodule Home73kWeb.CSPHeader do
import Plug.Conn
def init(opts), do: opts
def call(conn, _opts) do
put_resp_header conn, "content-security-policy", csp(conn)
end
defp csp(conn) do
"default-src 'self'; \
connect-src 'self' #{ws_url conn} #{ws_url conn, "wss"}; \
script-src 'self' 'unsafe-inline' 'unsafe-eval'; \
style-src 'self' 'unsafe-inline' 'unsafe-eval'"
end
defp ws_url(conn, protocol \\ "ws") do
endpoint = Phoenix.Controller.endpoint_module(conn)
%{endpoint.struct_url | scheme: protocol} |> URI.to_string()
end
end

View file

@ -1,5 +1,6 @@
defmodule Home73kWeb.Router do defmodule Home73kWeb.Router do
use Home73kWeb, :router use Home73kWeb, :router
alias Home73kWeb.CSPHeader
pipeline :browser do pipeline :browser do
plug :accepts, ["html"] plug :accepts, ["html"]
@ -8,6 +9,7 @@ defmodule Home73kWeb.Router do
plug :put_root_layout, {Home73kWeb.LayoutView, :root} plug :put_root_layout, {Home73kWeb.LayoutView, :root}
plug :protect_from_forgery plug :protect_from_forgery
plug :put_secure_browser_headers plug :put_secure_browser_headers
plug CSPHeader
end end
pipeline :xml_rss do pipeline :xml_rss do