PRMDR 496 - CSP Policies (#197)

* Updated NGINX config with CSP * Added permissions policy to NGINX * Updated content security policy to allow API
nhsconnect · Dec 13, 2023 · 9e4f91b · 9e4f91b
1 parent bcdb054
commit 9e4f91b
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 3 deletions.
diff --git a/app/docker/nginx.conf b/app/docker/nginx.conf
@@ -4,7 +4,15 @@ events {
 http {
     server {
     listen       80;
+    add_header Cache-Control "no-store" always;
+    add_header Pragma "no-cache" always;
     add_header Strict-Transport-Security "max-age=63072000" always;
+    add_header Content-Security-Policy "frame-ancestors 'none'; img-src 'self'; script-src 'self'; style-src 'self'" always;
+    add_header Referrer-Policy "no-referrer" always;
+    add_header Permissions-Policy "Permissions-Policy: accelerometer=(self), ambient-light-sensor=(self), autoplay=(self), battery=(self), camera=(self), cross-origin-isolated=(self), display-capture=(self), document-domain=(self), encrypted-media=(self), execution-while-not-rendered=(self), execution-while-out-of-viewport=(self), fullscreen=(self), geolocation=(self), gyroscope=(self), keyboard-map=(self), magnetometer=(self), microphone=(self), midi=(self), navigation-override=(self), payment=(self), picture-in-picture=(self), publickey-credentials-get=(self), screen-wake-lock=(self), sync-xhr=(self), usb=(self), web-share=(self), xr-spatial-tracking=(self), clipboard-read=(self), clipboard-write=(self), gamepad=(self), speaker-selection=(self), conversion-measurement=(self), focus-without-user-activation=(self), hid=(self), idle-detection=(self), interest-cohort=(self), serial=(self), sync-script=(self), trust-token-redemption=(self), unload=(self), window-placement=(self), vertical-scroll=(self)" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-Frame-Options "DENY" always;
+    add_header X-Permitted-Cross-Domain-Policies "none" always;
         location / {
             root   /usr/share/nginx/html;
             index  index.html index.htm;

diff --git a/app/public/index.html b/app/public/index.html
@@ -8,9 +8,6 @@
         />
 
         <meta charset="utf-8" />
-        <meta http-equiv="Cache-control" content="no-store" />
-        <meta http-equiv="Pragma" content="no-cache" />
-
         <link rel="icon" href="%PUBLIC_URL%/favicon.ico" />
         <link rel="apple-touch-icon" sizes="57x57" href="%PUBLIC_URL%/apple-icon-57x57.png" />
         <link rel="apple-touch-icon" sizes="60x60" href="%PUBLIC_URL%/apple-icon-60x60.png" />