Enable page / app specific CSP

department-of-veterans-affairs / va.gov-team

Public resources for building on and in support of VA.gov. Visit complete Knowledge Hub:

https://depo-platform-documentation.scrollhelp.site/index.html

281 stars 197 forks source link

Enable page / app specific CSP #15956

Open rianfowler opened 3 years ago

rianfowler commented 3 years ago

Overview

Every page on va.gov receives the same Content security policy headers
Some applications use third party libraries that require app specific exceptions in the CSP
Scope of risk can be reduced by only providing the CSP headers a page needs to function properly

Potential tasks

separate global and route specific CSP headers

rianfowler commented 3 years ago

if FE tools owns the html server, then they should implement this
this task could be owned by identity / security and implemented by FE Tools and devops cc @joeniquette @meganhkelley

joeniquette commented 3 years ago

I think we need to ensure that the Identity team isn't confused with security. As a security engineer I am focusing on Identity team efforts, but this does not mean that security initiatives fall under identity. I do not mind participating and helping/guiding the CSP, but we need to find a way to ensure this stays separate from Identity. @f1337 and @christine-dillman your thoughts and guidance?

f1337 commented 3 years ago

Agreed @joeniquette. Right now, I am the security team. Joe is my backup (not in terms of expertise in any manner, just in terms of role) That won't scale, and I'm working with Dror and Joe to establish what we want from a security practice group. We're making progress, but not done yet. Until then, ping me for anything general security related. Joe is swamped with trying to make the IAM handoff less of a dumpster fire.