Merge pull request #2272 from HHS/mb/TTAHUB-3040/owasp

[TTAHUB-3040] Resolve OWASP warnings

Author: thewatermethod

.circleci/config.yml

@@ -406,7 +406,7 @@ parameters:
     default: "al-ttahub-2939-add-fei-root-cause-to-goal-card"
     type: string
   sandbox_git_branch:  # change to feature branch to test deployment
-    default: "jp/3112/rm-elasticsearch"
+    default: "mb/TTAHUB-3040/owasp"
     type: string
   prod_new_relic_app_id:
     default: "877570491"

frontend/public/index.html

@@ -3,8 +3,6 @@
   <head>
     <meta charset="utf-8" />
     <link rel="icon" href="%PUBLIC_URL%/logo64.png" />
-    <link rel="preconnect" href="https://fonts.gstatic.com">
-    <link href="https://fonts.googleapis.com/css2?family=Merriweather&display=swap" rel="stylesheet">
     <meta name="viewport" content="width=device-width, initial-scale=1" />
     <meta name="theme-color" content="#000000" />
     <meta

frontend/src/App.scss

@@ -9,6 +9,34 @@
   font-weight: bold;
 }
 
+@font-face {
+  font-family: 'Merriweather';
+  src: url('./assets/Merriweather-Regular.ttf') format('truetype');
+  font-weight: normal;
+}
+
+@font-face {
+  font-family: 'Merriweather';
+  src: url('./assets/Merriweather-Bold.ttf') format('truetype');
+  font-weight: bold;
+}
+
+@font-face {
+  font-family: 'Merriweather';
+  src: url('./assets/Merriweather-Italic.ttf') format('truetype');
+  font-style: italic;
+  font-weight: normal;
+}
+
+@font-face {
+  font-family: 'Merriweather';
+  src: url('./assets/Merriweather-BoldItalic.ttf') format('truetype');
+  font-style: italic;
+  font-weight: bold;
+}
+
+
+
 a {
   color: $text-link;
 }

frontend/src/assets/Merriweather-Bold.ttf

@@ -42,6 +42,7 @@ process.on('unhandledRejection', (reason, promise) => {
 });
 
 const app = express();
+
 const oauth2CallbackPath = '/oauth2-client/login/oauth2/code/';
 let index;
 
@@ -60,10 +61,27 @@ app.use(express.json({ limit: '2MB' }));
 app.use(express.urlencoded({ extended: true }));
 
 app.use((req, res, next) => {
+  // set the X-Content-Type-Options header to prevent MIME-sniffing
+  res.set('X-Content-Type-Options', 'nosniff');
+
+  // set nonce
   res.locals.nonce = crypto.randomBytes(16).toString('hex');
+
+  // set CSP
   const cspMiddleware = helmet.contentSecurityPolicy({
     directives: {
-      ...omit(helmet.contentSecurityPolicy.getDefaultDirectives(), 'upgrade-insecure-requests', 'block-all-mixed-content', 'script-src', 'img-src', 'default-src'),
+      ...omit(
+        helmet.contentSecurityPolicy.getDefaultDirectives(),
+        'upgrade-insecure-requests',
+        'block-all-mixed-content',
+        'script-src',
+        'img-src',
+        'default-src',
+        'style-src',
+        'font-src',
+      ),
+      styleSrc: ["'self'", "'unsafe-inline'"],
+      fontSrc: ["'self'"],
       'form-action': ["'self'"],
       scriptSrc: ["'self'", '*.googletagmanager.com'],
       scriptSrcElem: ["'self'", 'https://*.googletagmanager.com', `'nonce-${res.locals.nonce}'`],
@@ -81,9 +99,11 @@ if (process.env.NODE_ENV === 'production' || process.env.NODE_ENV === 'dss') {
 }
 
 app.use('/api/v1', require('./routes/externalApi').default);
-
 app.use('/api', require('./routes/apiDirectory').default);
 
+// Disable "X-Powered-By" header
+app.disable('x-powered-by');
+
 // TODO: change `app.get...` with `router.get...` once our oauth callback has been updated
 app.get(oauth2CallbackPath, cookieSession, async (req, res) => {
   try {