Add an HTTP Content-Security-Policy

As part of a security review of the service, it was noted that a Content-Security-Policy (CSP) is missing. This change adds a CSP to the service.
alphagov · Jul 10, 2020 · 7a4b5eb · 7a4b5eb
1 parent c9d7bcd
commit 7a4b5eb
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 17 deletions.
diff --git a/app/views/layouts/application.html.erb b/app/views/layouts/application.html.erb
@@ -13,9 +13,9 @@
     <%= yield :meta_tags %>
   </head>
   <body class="govuk-template__body">
-    <script>
+    <%= javascript_tag nonce: true do -%>
       document.body.className = ((document.body.className) ? document.body.className + ' js-enabled' : 'js-enabled');
-    </script>
+    <% end -%>
     <%= render "govuk_publishing_components/components/cookie_banner", {
       title: t("cookies.banner.title"),
       text: t("cookies.banner.text"),
@@ -75,6 +75,6 @@
         ]
       }
     } %>
-    <%= javascript_include_tag "application" %>
+    <%= javascript_include_tag "application", nonce: true %>
   </body>
 </html>
diff --git a/config/initializers/content_security_policy.rb b/config/initializers/content_security_policy.rb
@@ -1,30 +1,34 @@
 # frozen_string_literal: true
+
 # Be sure to restart your server when you modify this file.
 
 # Define an application-wide content security policy
 # For further information see the following documentation
 # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/
 # Content-Security-Policy
 
-# Rails.application.config.content_security_policy do |policy|
-#   policy.default_src :self, :https
-#   policy.font_src    :self, :https, :data
-#   policy.img_src     :self, :https, :data
-#   policy.object_src  :none
-#   policy.script_src  :self, :https
-#   policy.style_src   :self, :https
+Rails.application.config.content_security_policy do |policy|
+  policy.default_src     :self, :https
+  policy.font_src        :self, :https, :data
+  policy.img_src         :self, :https, :data
+  policy.object_src      :none
+  policy.script_src      :self, :https, :data, "https://www.google-analytics.com"
+  policy.style_src       :self, :https
+  policy.media_src       :none
+  policy.child_src       :self
+  policy.form_action     :self
+  policy.frame_ancestors :self
+  policy.connect_src     :none
 
-#   # Specify URI for violation reports
-#   # policy.report_uri "/csp-violation-report-endpoint"
-# end
+  #   # Specify URI for violation reports
+  #   # policy.report_uri "/csp-violation-report-endpoint"
+end
 
 # If you are using UJS then enable automatic nonce generation
-# Rails.application.config.content_security_policy_nonce_generator = ->
-# request { SecureRandom.base64(16) }
+Rails.application.config.content_security_policy_nonce_generator = ->(_request) { SecureRandom.base64(16) }
 
 # Set the nonce only to specific directives
-# Rails.application.config.content_security_policy_nonce_directives =
-# %w(script-src)
+Rails.application.config.content_security_policy_nonce_directives = %w[script-src]
 
 # Report CSP violations to a specified URI
 # For further information see the following documentation: