search

julianpoemp / nestjs-redox

This NestJS module enables to auto-generate beautiful API docs using Swagger and Redoc. It supports NestJS 10, ExpressJS and Fastify.
MIT License
13 stars 1 forks source link

Feature Request: Customize CSP Header #6

Closed vllange closed 1 month ago

vllange commented 1 month ago

Hey,

sorry for the many issues 🙃

I use the standalone version so that redoc doesn't have to be loaded externally. Unfortunately, there is no way to prevent redoc's logo from being loaded via their CDN. PR's have already been rejected by them. (Their logo is currently the only resource that is still loaded externally)

I would like to use a fully GDPR-compliant solution and would therefore like to do without access to their CDN. To do this, the Content Security Policy header could be configured so that only 'self' and/or self-configured domains can be loaded (e.g. for logo).

Would it be possible and would you like to make the header overwritable via NestJSRedoxOptions?

Thank you very much!

https://github.com/julianpoemp/nestjs-redox/blob/d4cbbbaabcf1ce4d411c2c7fcea319058cf01164/libs/nestjs-redox/src/lib/nestjs-redox.module.ts#L284-L290

julianpoemp commented 1 month ago

For this issue I already commented some time ago here. The issue is still ignored. https://github.com/Redocly/redoc/issues/2141

I don't understand why the redoc team doesn't load ther icon locally: It's not about removing the icon, it's about having no traffic to third party servers.

What do you think about changing RedoxOptions to 

export class NestJSRedoxOptions {
  // served path on that the redoc is available
  useGlobalPrefix?: boolean = false;
  disableGoogleFont?: boolean = false;
  auth?: {
    enabled?: boolean;
    users: Record<string, string>;
  };
  /**
   * set this if resolving the absolute path to the bundles directory doesn't work. E.g. when using pkg.
   */
  redocBundlesDir?: string;

  /**
   * Enable this if you want to serve your own redoc installation. You have to install redoc as dependency.
   * @default: false
   */
  standalone?: boolean = false;

  /**
   * Overwrites given headers after nestjs-redox set default headers (e.g. content security policy).
   */
  overwriteHeadersWith?: Record<string, string>;

  constructor(partial?: Partial<NestJSRedoxOptions>) {
    if (partial) {
      Object.assign(this, partial);
    }
  }
}

Further more I have been thinking about replacing the cdn link using regex and save the icon to the package. That would show the correct icon instead of some placeholder.

vllange commented 1 month ago

Hey,

I totally agree with your suggestion of adding overwriteHeadersWith If that works well, the way with the replacement would of course be even better ;)

I'm not interested in removing their logo or notice, but I don't want any external calls (and in my opinion this is also very needless)

julianpoemp commented 1 month ago

@vllange just released v1.2.0 supporting header overwrite and replacing redoc image with local one. Please check it out.

vllange commented 1 month ago

Thanks, I tested and it works as expected! Huge thanks for your work!