Skip to content

Commit

Permalink
Enable "enforce" CSP for dev deployments
Browse files Browse the repository at this point in the history
  • Loading branch information
labkey-tchad committed Dec 19, 2024
1 parent 5df3d4b commit 53b0ee1
Showing 1 changed file with 12 additions and 29 deletions.
41 changes: 12 additions & 29 deletions server/configs/application.properties
Original file line number Diff line number Diff line change
Expand Up @@ -128,35 +128,18 @@ management.server.port=@@shutdownPort@@
## Define one or both of 'csp.report' and 'csp.enforce' to enable Content Security Policy (CSP) headers
## Do not use these examples for any production environment without understanding the meaning of each directive!

## example usage 1 - very strict, disallows 'external' websites, disallows unsafe-inline, but only reports violations (does not enforce)

#csp.report=\
# default-src 'self';\
# connect-src 'self' ${LABKEY.ALLOWED.CONNECTIONS} ;\
# object-src 'none' ;\
# style-src 'self' 'unsafe-inline' ;\
# img-src 'self' data: ;\
# font-src 'self' data: ;\
# script-src 'unsafe-eval' 'strict-dynamic' 'nonce-${REQUEST.SCRIPT.NONCE}';\
# base-uri 'self' ;\
# upgrade-insecure-requests ;\
# frame-ancestors 'self' ;\
# report-uri https://www.labkey.org/admin-contentsecuritypolicyreport.api?${CSP.REPORT.PARAMS} ;

## example usage 2 - less strict but enforces directives, (NOTE: unsafe-inline is still required for many modules)

#csp.enforce=\
# default-src 'self' https: ;\
# connect-src 'self' https: ${LABKEY.ALLOWED.CONNECTIONS};\
# object-src 'none' ;\
# style-src 'self' https: 'unsafe-inline' ;\
# img-src 'self' data: ;\
# font-src 'self' data: ;\
# script-src 'unsafe-inline' 'unsafe-eval' 'strict-dynamic' 'nonce-${REQUEST.SCRIPT.NONCE}';\
# base-uri 'self' ;\
# upgrade-insecure-requests ;\
# frame-ancestors 'self' ;\
# report-uri https://www.labkey.org/admin-contentsecuritypolicyreport.api?${CSP.REPORT.PARAMS} ;
## Default CSP for dev deployments
#useLocalBuild#csp.enforce=\
#useLocalBuild# default-src 'self' https: http: ;\
#useLocalBuild# connect-src 'self' localhost:* ws: ${LABKEY.ALLOWED.CONNECTIONS} ;\
#useLocalBuild# object-src 'none' ;\
#useLocalBuild# style-src 'self' https: 'unsafe-inline' ;\
#useLocalBuild# img-src 'self' https: data: ;\
#useLocalBuild# font-src 'self' http: https: data: ;\
#useLocalBuild# script-src 'unsafe-eval' 'strict-dynamic' 'nonce-${REQUEST.SCRIPT.NONCE}' ;\
#useLocalBuild# base-uri 'self' ;\
#useLocalBuild# frame-ancestors 'self' ;\
#useLocalBuild# report-uri /admin-contentsecuritypolicyreport.api?${CSP.REPORT.PARAMS} ;

## Default CSP for TeamCity and dev deployments
csp.report=\
Expand Down

0 comments on commit 53b0ee1

Please sign in to comment.