fix(security): add nonce-based CSP header to frontend route
This commit is contained in:
@@ -7,6 +7,7 @@ from typing import Optional
|
||||
import jwt
|
||||
import requests
|
||||
import os
|
||||
import secrets
|
||||
from functools import lru_cache
|
||||
|
||||
app = FastAPI(title="OIDC Token Validator")
|
||||
@@ -326,9 +327,27 @@ async def validate_token(request: TokenValidationRequest):
|
||||
@app.get("/", response_class=HTMLResponse)
|
||||
async def read_root():
|
||||
"""Serve the frontend HTML file"""
|
||||
nonce = secrets.token_urlsafe(16)
|
||||
with open("templates/index.html", "r") as file:
|
||||
html_content = file.read()
|
||||
return HTMLResponse(content=html_content, status_code=200)
|
||||
html_content = html_content.replace(
|
||||
'<script>', f'<script nonce="{nonce}">', 1
|
||||
)
|
||||
csp = (
|
||||
"default-src 'self'; "
|
||||
f"script-src 'self' 'nonce-{nonce}' https://cdn.jsdelivr.net; "
|
||||
"style-src 'self' https://cdn.jsdelivr.net; "
|
||||
"connect-src 'self' https://login.infomaniak.com https://api.coingecko.com; "
|
||||
"img-src 'self'; "
|
||||
"object-src 'none'; "
|
||||
"base-uri 'self'; "
|
||||
"frame-ancestors 'none'"
|
||||
)
|
||||
return HTMLResponse(
|
||||
content=html_content,
|
||||
status_code=200,
|
||||
headers={"Content-Security-Policy": csp},
|
||||
)
|
||||
|
||||
@app.get("/health")
|
||||
async def health_check():
|
||||
|
||||
Reference in New Issue
Block a user