search

authgear / authgear-server

Open source alternative to Auth0 / Firebase Auth
https://www.authgear.com
Apache License 2.0
80 stars 35 forks source link

Review Response headers `Content-Security-Policy` #4451

Open pkong-ds opened 1 month ago

pkong-ds commented 1 month ago

Problem

Currently response headers of authgear is about 2kb.

nginx proxy_buffer_size default is 4kb | 8kb

Default:    proxy_buffer_size 4k|8k;

Proposed fix

Review large response headers such as Content-Security-Policy and Set-Cookie in pkg/lib/web/csp.go

Note that Permissions-Policy will not be reviewed due to compliance issues

Context

Sample response

Note Permissions-Policy, Content-Security-Policy and Set-Cookie

HTTP/1.1 302 Found
Cache-Control: no-store
Content-Security-Policy: default-src 'self'; script-src 'strict-dynamic' 'nonce-DQA12T13HX36DH5SVR6JX7CEXS8TJJJZ' www.googletagmanager.com eu-assets.i.posthog.com https://browser.sentry-cdn.com 'self'; frame-src www.googletagmanager.com 'self'; font-src cdnjs.cloudflare.com static2.sharepointonline.com fonts.googleapis.com fonts.gstatic.com 'self'; style-src 'unsafe-inline' cdnjs.cloudflare.com www.googletagmanager.com fonts.googleapis.com 'self'; img-src http: https: data: 'self'; object-src 'none'; base-uri 'none'; connect-src 'self' https://www.google-analytics.com ws://accounts.portal.localhost:3000 wss://accounts.portal.localhost:3000; block-all-mixed-content; frame-ancestors 'none'
Location: /login
Permissions-Policy: accelerometer=(), ambient-light-sensor=(), autoplay=*, battery=(), bluetooth=(), browsing-topics=(), camera=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=*, execution-while-out-of-viewport=*, fullscreen=*, gamepad=(), geolocation=(), gyroscope=(), hid=(), identity-credentials-get=(), idle-detection=(), local-fonts=(), magnetometer=(), microphone=(), midi=(), otp-credentials=(), payment=(), picture-in-picture=(), publickey-credentials-create=(self), publickey-credentials-get=(self), screen-wake-lock=(), serial=(), speaker-selection=(), storage-access=(), usb=(), web-share=(), window-management=(), xr-spatial-tracking=()
Pragma: no-cache
Set-Cookie: debug_csrf_same_site_omit=exists; Path=/; Domain=portal.localhost; Max-Age=1200; HttpOnly
Set-Cookie: debug_csrf_same_site_none=exists; Path=/; Domain=portal.localhost; Max-Age=1200; HttpOnly
Set-Cookie: debug_csrf_same_site_lax=exists; Path=/; Domain=portal.localhost; Max-Age=1200; HttpOnly; SameSite=Lax
Set-Cookie: debug_csrf_same_site_strict=exists; Path=/; Domain=portal.localhost; Max-Age=1200; HttpOnly; SameSite=Strict
Set-Cookie: web_err=eyJGb3JtIjp7ImdvcmlsbGEuY3NyZi5Ub2tlbiI6WyJibzd2YWpQaUs4NlBqdWZRK1NNaWhrenArTk4vNXJaM09zYUtIMkh5RkRjRm5qWjVoM0ljUTVUU1A0MmhtV3B4YkJmOWtyZTcrcU9hVDVxOHJZdlJIdz09Il0sInhfYWN0aW9uIjpbImxvZ2luX2lkIl0sInhfbG9naW5faWQiOlsiYWRzZmFkc2FkZnMiXSwieF9sb2dpbl9pZF9pbnB1dF90eXBlIjpbInRleHQiXX0sIkVycm9yIjp7Im5hbWUiOiJJbnZhbGlkIiwicmVhc29uIjoiVmFsaWRhdGlvbkZhaWxlZCIsIm1lc3NhZ2UiOiJpbnZhbGlkIHZhbHVlIiwiY29kZSI6NDAwLCJpbmZvIjp7ImNhdXNlcyI6W3sibG9jYXRpb24iOiIiLCJraW5kIjoicmVxdWlyZWQiLCJkZXRhaWxzIjp7ImFjdHVhbCI6WyJpZGVudGlmaWNhdGlvbiIsImxvZ2luX2lkIl0sImV4cGVjdGVkIjpbImJvdF9wcm90ZWN0aW9uIiwiaWRlbnRpZmljYXRpb24iLCJsb2dpbl9pZCJdLCJtaXNzaW5nIjpbImJvdF9wcm90ZWN0aW9uIl19fSx7ImxvY2F0aW9uIjoiIiwia2luZCI6InJlcXVpcmVkIiwiZGV0YWlscyI6eyJhY3R1YWwiOlsiaWRlbnRpZmljYXRpb24iLCJsb2dpbl9pZCJdLCJleHBlY3RlZCI6WyJib3RfcHJvdGVjdGlvbiIsImlkZW50aWZpY2F0aW9uIiwibG9naW5faWQiXSwibWlzc2luZyI6WyJib3RfcHJvdGVjdGlvbiJdfX0seyJsb2NhdGlvbiI6IiIsImtpbmQiOiJyZXF1aXJlZCIsImRldGFpbHMiOnsiYWN0dWFsIjpbImlkZW50aWZpY2F0aW9uIiwibG9naW5faWQiXSwiZXhwZWN0ZWQiOlsiYm90X3Byb3RlY3Rpb24iLCJpZGVudGlmaWNhdGlvbiIsImxvZ2luX2lkIl0sIm1pc3NpbmciOlsiYm90X3Byb3RlY3Rpb24iXX19LHsibG9jYXRpb24iOiIiLCJraW5kIjoicmVxdWlyZWQiLCJkZXRhaWxzIjp7ImFjdHVhbCI6WyJpZGVudGlmaWNhdGlvbiIsImxvZ2luX2lkIl0sImV4cGVjdGVkIjpbImFzc2VydGlvbl9yZXNwb25zZSIsImJvdF9wcm90ZWN0aW9uIiwiaWRlbnRpZmljYXRpb24iXSwibWlzc2luZyI6WyJhc3NlcnRpb25fcmVzcG9uc2UiLCJib3RfcHJvdGVjdGlvbiJdfX0seyJsb2NhdGlvbiI6IiIsImtpbmQiOiJyZXF1aXJlZCIsImRldGFpbHMiOnsiYWN0dWFsIjpbImlkZW50aWZpY2F0aW9uIiwibG9naW5faWQiXSwiZXhwZWN0ZWQiOlsiYWxpYXMiLCJib3RfcHJvdGVjdGlvbiIsImlkZW50aWZpY2F0aW9uIiwicmVkaXJlY3RfdXJpIl0sIm1pc3NpbmciOlsiYWxpYXMiLCJib3RfcHJvdGVjdGlvbiIsInJlZGlyZWN0X3VyaSJdfX0seyJsb2NhdGlvbiI6Ii9pZGVudGlmaWNhdGlvbiIsImtpbmQiOiJjb25zdCIsImRldGFpbHMiOnsiYWN0dWFsIjoidXNlcm5hbWUiLCJleHBlY3RlZCI6ImVtYWlsIn19LHsibG9jYXRpb24iOiIvaWRlbnRpZmljYXRpb24iLCJraW5kIjoiY29uc3QiLCJkZXRhaWxzIjp7ImFjdHVhbCI6InVzZXJuYW1lIiwiZXhwZWN0ZWQiOiJwaG9uZSJ9fSx7ImxvY2F0aW9uIjoiL2lkZW50aWZpY2F0aW9uIiwia2luZCI6ImNvbnN0IiwiZGV0YWlscyI6eyJhY3R1YWwiOiJ1c2VybmFtZSIsImV4cGVjdGVkIjoicGFzc2tleSJ9fSx7ImxvY2F0aW9uIjoiL2lkZW50aWZpY2F0aW9uIiwia2luZCI6ImNvbnN0IiwiZGV0YWlscyI6eyJhY3R1YWwiOiJ1c2VybmFtZSIsImV4cGVjdGVkIjoib2F1dGgifX1dfX19; Path=/; Domain=portal.localhost; HttpOnly; SameSite=Lax
Vary: Cookie
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
Date: Wed, 10 Jul 2024 07:47:37 GMT
Content-Length: 0

Measuring Content-Security-Policy size,

echo "default-src 'self'; script-src 'strict-dynamic' 'nonce-DQA12T13HX36DH5SVR6JX7CEXS8TJJJZ' www.googletagmanager.com eu-assets.i.posthog.com https://browser.sentry-cdn.com 'self'; frame-src www.googletagmanager.com 'self'; font-src cdnjs.cloudflare.com static2.sharepointonline.com fonts.googleapis.com fonts.gstatic.com 'self'; style-src 'unsafe-inline' cdnjs.cloudflare.com www.googletagmanager.com fonts.googleapis.com 'self'; img-src http: https: data: 'self'; object-src 'none'; base-uri 'none'; connect-src 'self' https://www.google-analytics.com ws://accounts.portal.localhost:3000 wss://accounts.portal.localhost:3000; block-all-mixed-content; frame-ancestors 'none'"  | wc

we have 672 bytes

1      41     672

Some directions to explore

Drop support for CSP1 for script-src

linear[bot] commented 1 month ago

DEV-1537 Review Response headers `Content-Security-Policy`