nginx: include security headers on error responses

.github/workflows/test.yml

@@ -45,7 +45,7 @@ jobs:
     - run: cd test/nginx && npm run lint
     - run: cd test/nginx && ./setup-tests.sh
     - run: cd test/nginx && npm run test:nginx
-    - run: cd test/nginx && ./gixy.sh
+    - run: cd test/nginx && ./lint-config.sh
 
     - if: always()
       run: cd test/nginx && docker compose -f nginx.test.docker-compose.yml logs --no-log-prefix nginx-ssl-selfsign

files/nginx/common-headers.conf

@@ -8,5 +8,5 @@ add_header Vary          $cache_header_vary;
 
 add_header Referrer-Policy same-origin;
 add_header Strict-Transport-Security "max-age=63072000" always;
-add_header X-Frame-Options "SAMEORIGIN";
-add_header X-Content-Type-Options nosniff;
+add_header X-Frame-Options "SAMEORIGIN" always;
+add_header X-Content-Type-Options nosniff always;

files/nginx/odk.conf.template

@@ -104,7 +104,7 @@ server {
 
   server_tokens off;
 
-  add_header Content-Security-Policy-Report-Only "default-src 'none'; connect-src https://translate.google.com https://translate.googleapis.com; img-src https://translate.google.com; report-uri /csp-report";
+  add_header Content-Security-Policy-Report-Only "default-src 'none'; connect-src https://translate.google.com https://translate.googleapis.com; img-src https://translate.google.com; report-uri /csp-report" always;
   include /usr/share/odk/nginx/common-headers.conf;
 
   client_max_body_size 100m;
@@ -160,7 +160,7 @@ server {
     # Google Maps API: https://developers.google.com/maps/documentation/javascript/content-security-policy
     # Use 'none' per directive instead of falling back to default-src to make CSP violation reports more specific
     proxy_hide_header Content-Security-Policy-Report-Only;
-    add_header Content-Security-Policy-Report-Only "default-src 'none'; connect-src 'self' blob: https://maps.googleapis.com/ https://maps.google.com/ https://maps.gstatic.com/mapfiles/ https://fonts.gstatic.com/ https://fonts.googleapis.com/ https://translate.google.com https://translate.googleapis.com; font-src 'self' https://fonts.gstatic.com/; frame-src 'none'; img-src data: blob: jr: 'self' https://maps.google.com/maps/ https://maps.gstatic.com/mapfiles/ https://maps.googleapis.com/maps/ https://tile.openstreetmap.org/ https://translate.google.com; manifest-src 'none'; media-src blob: jr: 'self'; object-src 'none'; script-src 'unsafe-inline' 'self' https://maps.googleapis.com/maps/api/js/ https://maps.google.com/maps/ https://maps.google.com/maps-api-v3/api/js/; style-src 'unsafe-inline' 'self' https://fonts.googleapis.com/css; style-src-attr 'unsafe-inline'; report-uri /csp-report";
+    add_header Content-Security-Policy-Report-Only "default-src 'none'; connect-src 'self' blob: https://maps.googleapis.com/ https://maps.google.com/ https://maps.gstatic.com/mapfiles/ https://fonts.gstatic.com/ https://fonts.googleapis.com/ https://translate.google.com https://translate.googleapis.com; font-src 'self' https://fonts.gstatic.com/; frame-src 'none'; img-src data: blob: jr: 'self' https://maps.google.com/maps/ https://maps.gstatic.com/mapfiles/ https://maps.googleapis.com/maps/ https://tile.openstreetmap.org/ https://translate.google.com; manifest-src 'none'; media-src blob: jr: 'self'; object-src 'none'; script-src 'unsafe-inline' 'self' https://maps.googleapis.com/maps/api/js/ https://maps.google.com/maps/ https://maps.google.com/maps-api-v3/api/js/; style-src 'unsafe-inline' 'self' https://fonts.googleapis.com/css; style-src-attr 'unsafe-inline'; report-uri /csp-report" always;
 
     include /usr/share/odk/nginx/common-headers.conf;
   }
@@ -173,7 +173,7 @@ server {
 
   location ~ ^/v\d {
     proxy_hide_header Content-Security-Policy-Report-Only;
-    add_header Content-Security-Policy-Report-Only "default-src 'none'; report-uri /csp-report";
+    add_header Content-Security-Policy-Report-Only "default-src 'none'; report-uri /csp-report" always;
 
     include /usr/share/odk/nginx/common-headers.conf;
     include /usr/share/odk/nginx/backend.conf;
@@ -183,7 +183,7 @@ server {
     root /usr/share/nginx/html;
     try_files /blank.html =404;
 
-    add_header Content-Security-Policy-Report-Only "default-src 'none'; connect-src https://translate.google.com https://translate.googleapis.com; img-src https://translate.google.com; report-uri /csp-report";
+    add_header Content-Security-Policy-Report-Only "default-src 'none'; connect-src https://translate.google.com https://translate.googleapis.com; img-src https://translate.google.com; report-uri /csp-report" always;
     include /usr/share/odk/nginx/common-headers.conf;
   }
   location = /blank.html {
@@ -194,7 +194,7 @@ server {
     root /usr/share/nginx/html;
     try_files $uri $uri/ /index.html;
 
-    add_header Content-Security-Policy-Report-Only "$central_frontend_csp";
+    add_header Content-Security-Policy-Report-Only "$central_frontend_csp" always;
 
     include /usr/share/odk/nginx/common-headers.conf;
   }

test/nginx/lint-config.sh

@@ -0,0 +1,62 @@
+#!/bin/bash -eu
+set -o pipefail
+shopt -s inherit_errexit
+
+log() { echo >&2 "[$(basename "$0")] $*"; }
+
+docker_compose() {
+  docker compose --file nginx.test.docker-compose.yml "$@"
+}
+
+lint_service() {
+  local service="$1"
+  log "$service: checking config..."
+  docker_compose exec "$service" bash -euc '
+    echo "[lint-config] installing python..."
+    apt update
+    apt install -y python3-venv
+    python3 -m venv .venv
+    . .venv/bin/activate
+
+    echo "[lint-config] installing semgrep..."
+    pip install semgrep
+    cat >.semgrep.yml <<EOF
+rules:
+  - id: nginx-add-header-missing-always
+    languages: [generic]
+    message: "Security headers should include \`always\` param to ensure they are sent with error responses (4xx, 5xx)."
+    severity: ERROR
+    patterns:
+      - pattern-regex: "\\\\badd_header\\\\s+(Strict-Transport-Security|X-Content-Type-Options|X-Frame-Options|Content-Security-Policy|Content-Security-Policy-Report-Only)\\\\s+.*"
+      - pattern-not-regex: "(?i)add_header\\\\s+.*\\\\balways\\\\b\\\\s*;"
+EOF
+    echo "[lint-config] running semgrep..."
+    semgrep scan --verbose \
+                 --error \
+                 --severity ERROR \
+                 --metrics=off \
+                 --disable-version-check \
+                 --no-git-ignore \
+                 --config p/nginx \
+                 --config .semgrep.yml \
+                 -- \
+                 /etc/nginx/conf.d/odk.conf \
+                 /usr/share/odk/nginx/
+
+    # gixy-ng is a maintained fork of gixy: https://github.com/dvershinin/gixy
+    # For version updates, see: https://pypi.org/project/gixy-ng/#history
+    echo "[lint-config] installing gixy..."
+    pip install gixy-ng==0.2.12
+    echo "[lint-config] running gixy..."
+    gixy -lll
+
+    echo "[lint-config] All completed OK."
+  '
+
+  log "$service: config looks OK."
+}
+
+lint_service nginx-ssl-selfsign
+lint_service nginx-ssl-upstream
+
+log "Completed OK."