Prechádzať zdrojové kódy

chore: Use a constant for the default CSP

jamesread 3 mesiacov pred
rodič
commit
b33aded230

+ 1 - 1
service/internal/config/config.go

@@ -281,7 +281,7 @@ func DefaultConfigWithBasePort(basePort int) *Config {
 	config.Prometheus.Enabled = false
 	config.Prometheus.DefaultGoMetrics = false
 	config.Security.HeaderContentSecurityPolicy = true
-	config.Security.ContentSecurityPolicy = "default-src 'self'; script-src 'self' 'unsafe-inline' https:; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; connect-src 'self' https:; frame-ancestors 'none'; base-uri 'self'"
+	config.Security.ContentSecurityPolicy = ContentSecurityPolicyDefault
 	config.Security.HeaderXContentTypeOptions = true
 	config.Security.HeaderXFrameOptions = true
 	config.Security.XFrameOptions = "DENY"

+ 5 - 0
service/internal/config/constants.go

@@ -0,0 +1,5 @@
+package config
+
+// ContentSecurityPolicyDefault is the default Content-Security-Policy header value
+// when security headers are enabled and no custom policy is set.
+const ContentSecurityPolicyDefault = "default-src 'self'; script-src 'self' 'unsafe-inline' https:; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; connect-src 'self' https:; frame-ancestors 'none'; base-uri 'self'"

+ 1 - 1
service/internal/config/sanitize.go

@@ -194,7 +194,7 @@ func (cfg *Config) sanitizeSecurityHeadersCSP() {
 	if !cfg.Security.HeaderContentSecurityPolicy || cfg.Security.ContentSecurityPolicy != "" {
 		return
 	}
-	cfg.Security.ContentSecurityPolicy = "default-src 'self'; script-src 'self' 'unsafe-inline' https:; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; connect-src 'self' https:; frame-ancestors 'none'; base-uri 'self'"
+	cfg.Security.ContentSecurityPolicy = ContentSecurityPolicyDefault
 }
 
 func (cfg *Config) sanitizeSecurityHeadersXFrameOptions() {