Strip out more inline javascript code. Encrypt backup codes and treat the backup codes attribute as a json array
This commit is contained in:
Dan Milne
@@ -1,77 +0,0 @@
|
||||
# Be sure to restart your server when you modify this file.
|
||||
|
||||
# Define an application-wide content security policy.
|
||||
# See the Securing Rails Applications Guide for more information:
|
||||
# https://guides.rubyonrails.org/security.html#content-security-policy-header
|
||||
|
||||
Rails.application.configure do
|
||||
config.content_security_policy do |policy|
|
||||
# Default policy: only allow resources from same origin and HTTPS
|
||||
policy.default_src :self, :https
|
||||
|
||||
# Scripts: strict security with nonce support for dynamic content
|
||||
policy.script_src :self, :https, :strict_dynamic
|
||||
|
||||
# Styles: allow inline styles for CSS frameworks, but require HTTPS
|
||||
policy.style_src :self, :https, :unsafe_inline
|
||||
|
||||
# Images: allow data URIs for inline images and HTTPS sources
|
||||
policy.img_src :self, :https, :data
|
||||
|
||||
# Fonts: allow self-hosted and HTTPS fonts, plus data URIs
|
||||
policy.font_src :self, :https, :data
|
||||
|
||||
# Media: allow self and HTTPS media sources
|
||||
policy.media_src :self, :https
|
||||
|
||||
# Objects: block potentially dangerous plugins
|
||||
policy.object_src :none
|
||||
|
||||
# Base URI: restrict base tag to same origin
|
||||
policy.base_uri :self
|
||||
|
||||
# Form actions: only allow forms to submit to same origin
|
||||
policy.form_action :self
|
||||
|
||||
# Frame ancestors: prevent clickjacking by disallowing framing
|
||||
policy.frame_ancestors :none
|
||||
|
||||
# Frame sources: block iframes unless explicitly needed
|
||||
policy.frame_src :none
|
||||
|
||||
# Connect sources: control where XHR/Fetch can connect
|
||||
policy.connect_src :self, :https
|
||||
|
||||
# Manifest: only allow same-origin manifest files
|
||||
policy.manifest_src :self
|
||||
|
||||
# Worker sources: control web worker origins
|
||||
policy.worker_src :self, :https
|
||||
|
||||
# Report URI: send violation reports to our monitoring endpoint
|
||||
if Rails.env.production?
|
||||
policy.report_uri "/api/csp-violation-report"
|
||||
end
|
||||
end
|
||||
|
||||
# Generate session nonces for permitted inline scripts and styles
|
||||
config.content_security_policy_nonce_generator = ->(request) {
|
||||
# Use a secure random nonce instead of session ID for better security
|
||||
SecureRandom.base64(16)
|
||||
}
|
||||
|
||||
# Apply nonces to script and style directives
|
||||
config.content_security_policy_nonce_directives = %w(script-src style-src)
|
||||
|
||||
# Automatically add `nonce` attributes to script/style tags
|
||||
config.content_security_policy_nonce_auto = true
|
||||
|
||||
# Enforce CSP in production, but use report-only in development for debugging
|
||||
if Rails.env.production?
|
||||
# Enforce the policy in production
|
||||
config.content_security_policy_report_only = false
|
||||
else
|
||||
# Report violations only in development (helps with debugging)
|
||||
config.content_security_policy_report_only = true
|
||||
end
|
||||
end
|
||||
Reference in New Issue
Block a user