Strip out more inline javascript code. Encrypt backup codes and treat the backup codes attribute as a json array

2025-11-04 18:46:11 +11:00
parent bf104a9983
commit fb14ce032f
14 changed files with 336 additions and 248 deletions
--- a/config/initializers/content_security_policy.rb
+++ b/config/initializers/content_security_policy.rb
@@ -1,77 +0,0 @@
-# Be sure to restart your server when you modify this file.
-
-# Define an application-wide content security policy.
-# See the Securing Rails Applications Guide for more information:
-# https://guides.rubyonrails.org/security.html#content-security-policy-header
-
-Rails.application.configure do
-  config.content_security_policy do |policy|
-    # Default policy: only allow resources from same origin and HTTPS
-    policy.default_src :self, :https
-
-    # Scripts: strict security with nonce support for dynamic content
-    policy.script_src :self, :https, :strict_dynamic
-
-    # Styles: allow inline styles for CSS frameworks, but require HTTPS
-    policy.style_src :self, :https, :unsafe_inline
-
-    # Images: allow data URIs for inline images and HTTPS sources
-    policy.img_src :self, :https, :data
-
-    # Fonts: allow self-hosted and HTTPS fonts, plus data URIs
-    policy.font_src :self, :https, :data
-
-    # Media: allow self and HTTPS media sources
-    policy.media_src :self, :https
-
-    # Objects: block potentially dangerous plugins
-    policy.object_src :none
-
-    # Base URI: restrict base tag to same origin
-    policy.base_uri :self
-
-    # Form actions: only allow forms to submit to same origin
-    policy.form_action :self
-
-    # Frame ancestors: prevent clickjacking by disallowing framing
-    policy.frame_ancestors :none
-
-    # Frame sources: block iframes unless explicitly needed
-    policy.frame_src :none
-
-    # Connect sources: control where XHR/Fetch can connect
-    policy.connect_src :self, :https
-
-    # Manifest: only allow same-origin manifest files
-    policy.manifest_src :self
-
-    # Worker sources: control web worker origins
-    policy.worker_src :self, :https
-
-    # Report URI: send violation reports to our monitoring endpoint
-    if Rails.env.production?
-      policy.report_uri "/api/csp-violation-report"
-    end
-  end
-
-  # Generate session nonces for permitted inline scripts and styles
-  config.content_security_policy_nonce_generator = ->(request) {
-    # Use a secure random nonce instead of session ID for better security
-    SecureRandom.base64(16)
-  }
-
-  # Apply nonces to script and style directives
-  config.content_security_policy_nonce_directives = %w(script-src style-src)
-
-  # Automatically add `nonce` attributes to script/style tags
-  config.content_security_policy_nonce_auto = true
-
-  # Enforce CSP in production, but use report-only in development for debugging
-  if Rails.env.production?
-    # Enforce the policy in production
-    config.content_security_policy_report_only = false
-  else
-    # Report violations only in development (helps with debugging)
-    config.content_security_policy_report_only = true
-  end
-end
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -64,6 +64,8 @@ Rails.application.routes.draw do
  delete '/totp', to: 'totp#destroy'
  get '/totp/backup_codes', to: 'totp#backup_codes', as: :backup_codes_totp
  post '/totp/verify_password', to: 'totp#verify_password', as: :verify_password_totp
+  get '/totp/regenerate_backup_codes', to: 'totp#regenerate_backup_codes', as: :regenerate_backup_codes_totp
+  post '/totp/regenerate_backup_codes', to: 'totp#create_new_backup_codes', as: :create_new_backup_codes_totp

  # WebAuthn (Passkeys) routes
  get '/webauthn/new', to: 'webauthn#new', as: :new_webauthn