ENG-2404: Update CSP headers to include docs pages

changelog/7235-add-docs-csp-headers.yaml

@@ -0,0 +1,7 @@
+# Copy this file and rename it (e.g., pr-number.yaml or feature-name.yaml)
+# Fill in the required fields and delete this comment block
+
+type: Fixed # One of: Added, Changed, Developer Experience, Deprecated, Docs, Fixed, Removed, Security
+description: Adds CSP headers for docs pages
+pr: 7235 # PR number
+labels: [] # Optional: ["high-risk", "db-migration"]

src/fides/api/util/security_headers.py

@@ -23,13 +23,58 @@ class HeaderRule:
     headers: list[HeaderDefinition]
 
 
+# used for both swagger and redocs packages
+jsdelivr_domain = "cdn.jsdelivr.net"
+fast_api_domain = "fastapi.tiangolo.com"
+redocly_cdn_domain = "cdn.redoc.ly"
+google_fonts_domain = "fonts.googleapis.com"
+gstatic_fonts_domain = "fonts.gstatic.com"
+
+recommended_csp_header_value_for_swagger = re.sub(
+    r"\s{2,}",
+    " ",
+    f"""
+        default-src 'self';
+        script-src 'self' {jsdelivr_domain} 'unsafe-inline' ;
+        style-src 'self' {jsdelivr_domain} 'unsafe-inline' ;
+        connect-src 'self';
+        img-src 'self' {fast_api_domain} blob: data:;
+        font-src 'self';
+        object-src 'none';
+        base-uri 'self';
+        form-action 'self';
+        frame-ancestors 'self';
+        upgrade-insecure-requests;
+    """,
+).strip()
+
+
+recommended_csp_header_value_for_redoc = re.sub(
+    r"\s{2,}",
+    " ",
+    f"""
+        default-src 'self';
+        script-src 'self' {jsdelivr_domain} 'unsafe-inline' blob:;
+        style-src 'self' {jsdelivr_domain} {gstatic_fonts_domain} {google_fonts_domain} 'unsafe-inline' ;
+        connect-src 'self';
+        img-src 'self' {fast_api_domain} {redocly_cdn_domain} blob: data:;
+        font-src 'self' {gstatic_fonts_domain} {google_fonts_domain};
+        object-src 'none';
+        base-uri 'self';
+        form-action 'self';
+        frame-ancestors 'self';
+        upgrade-insecure-requests;
+        worker-src blob:;
+    """,
+).strip()
+
 recommended_csp_header_value = re.sub(
     r"\s{2,}",
     " ",
     """
         default-src 'self';
-        script-src 'self' 'unsafe-inline';
-        style-src 'self' 'unsafe-inline';
+        script-src 'self' 'unsafe-inline' ;
+        style-src 'self' 'unsafe-inline' ;
         connect-src 'self';
         img-src 'self' blob: data:;
         font-src 'self';
@@ -50,7 +95,7 @@ class HeaderRule:
         ],
     ),
     HeaderRule(
-        matcher=re.compile(r"^/((?!api|health).*)"),
+        matcher=re.compile(r"^/((?!api|health|docs|redoc).*)"),
         headers=[
             (
                 "Content-Security-Policy",
@@ -59,6 +104,20 @@ class HeaderRule:
             ("X-Frame-Options", "SAMEORIGIN"),
         ],
     ),
+    HeaderRule(
+        matcher=re.compile(r"/docs.*"),
+        headers=[
+            ("Content-Security-Policy", recommended_csp_header_value_for_swagger),
+            ("X-Frame-Options", "SAMEORIGIN"),
+        ],
+    ),
+    HeaderRule(
+        matcher=re.compile(r"/redoc.*"),
+        headers=[
+            ("Content-Security-Policy", recommended_csp_header_value_for_redoc),
+            ("X-Frame-Options", "SAMEORIGIN"),
+        ],
+    ),
 ]
 
 

tests/api/util/test_security_headers.py

@@ -9,6 +9,8 @@
     apply_headers_to_response,
     get_applicable_header_rules,
     is_exact_match,
+    recommended_csp_header_value_for_swagger,
+    recommended_csp_header_value_for_redoc,
     recommended_csp_header_value,
     recommended_headers,
 )
@@ -103,6 +105,42 @@ def test_apply_headers_to_response(self):
                     ("X-Frame-Options", "SAMEORIGIN"),
                 ],
             ),
+            (
+                "/docs",
+                [
+                    (
+                        "X-Content-Type-Options",
+                        "nosniff",
+                    ),
+                    (
+                        "Strict-Transport-Security",
+                        "max-age=31536000",
+                    ),
+                    (
+                        "Content-Security-Policy",
+                        recommended_csp_header_value_for_swagger,
+                    ),
+                    ("X-Frame-Options", "SAMEORIGIN"),
+                ],
+            ),
+            (
+                "/redoc",
+                [
+                    (
+                        "X-Content-Type-Options",
+                        "nosniff",
+                    ),
+                    (
+                        "Strict-Transport-Security",
+                        "max-age=31536000",
+                    ),
+                    (
+                        "Content-Security-Policy",
+                        recommended_csp_header_value_for_redoc,
+                    ),
+                    ("X-Frame-Options", "SAMEORIGIN"),
+                ],
+            ),
         ],
     )
     def test_recommended_headers_api_route(self, path, expected):