bbc / simorgh

The BBC's Open Source Web Application. Contributions welcome! Used on some of our biggest websites, e.g.

https://www.bbc.com/thai

Other

1.38k stars 215 forks source link

WSTEAM1-1068: Add csp next #11694

Closed shayneahchoon closed 2 months ago

shayneahchoon commented 2 months ago

Resolves JIRA WSTEAM1-1068

Overall changes

Add the following csp headers onto the Next.js app:

 policiesFromExpress= [
  'default-src',
  'child-src',
  'connect-src',
  'font-src',
  'frame-src',
  'img-src',
  'script-src',
  'style-src',
  'media-src',
  'worker-src',
  'report-to',
  'upgrade-insecure-requests',
];

Code changes

Next.js middleware function altered to append csp onto both the request and response headers.
Helmet csp function in the express app refactored to prevent dependency resolution errors from Next.js app.

Testing

List the steps used to test this PR.

Helpful Links

Add Links to useful resources related to this PR if applicable.

Coding Standards

Repository use guidelines