[Discuss] Investigate SPA results - CSP

[laurenb33]

We need to investigate and discuss how to apply the recommendations from the recent DCS SPA - starts on pg. 2 of the report (the link is in the Teams channel).

The first recommendation is add a Content Security Policy (CSP) to our web server, app server, load balancer etc. to help detect and mitigate certain types of attacks.

Important Links from @mikeapp

• https://content-security-policy.com/examples/allow-inline-script/
• https://infosec.mozilla.org/guidelines/web_security#content-security-policy
• https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy

Acceptance

• [ ] one-paragraph explanation of why we want an exception to this work

[laurenb33]

In the February 2024 DCS SPA report, the first mitigation recommendation was that the DCS web server, application server, load balancer, etc. should be configured to set the Content-Security-Policy header. The development team would like to apply for an exception from this requirement because configuring a set CSP header for DCS would be difficult because we have in inline Javascript in many of our .html.erb files. The inline JS is in the .html.erb file so that variables are simpler to track. The lift it would take to excavate all of the inline Javascript and organize it into separately packaged Javascript is not insurmountable but would take relatively significant time to reorganize. Lastly, we have protections in place to monitor and protect from unwelcome or nefarious calls; our development and operations engineering team have implemented AWS WAFS on each cluster.

[sshetenhelm]

We can close these as soon as we get confirmation from Lauren that she's shared these with George.

[laurenb33]

I submitted this exception on 5/6 - ready to close!