Merge pull request #145 from ruby-no-kai/csp

sorah · web-flow · commit 0a9095e7c71e · 2025-11-12T03:43:18.000+09:00
revive CSP headers
diff --git a/README.md b/README.md
@@ -87,13 +87,12 @@ You need to manually invalidate the cache: https://rubykaigi.esa.io/posts/1241#%
 ## Run locally
 
 ```
-docker build -t rko-router:latest .
-docker run --rm --name rko-router --publish 127.0.0.1::8080 rko-router:latest
+docker compose up --watch
 ```
 
 ```
-curl -H Host:rubykaigi.org http://$(docker port rko-router 8080)/
-TARGET_HOST=http://$(docker port rko-router 8080) bundle exec rspec
+curl -H Host:rubykaigi.org http://$(docker compose port nginx 8080)/
+TARGET_HOST=http://$(docker compose port nginx 8080) bundle exec rspec
 ```
 
 ## Test
diff --git a/config/github_pages.conf b/config/github_pages.conf
@@ -8,6 +8,8 @@ proxy_hide_header x-fastly-request-id;
 proxy_hide_header x-github-request-id;
 proxy_hide_header x-served-by;
 
+proxy_hide_header strict-transport-security;
+
 add_header via "1.1 rko-router.rubykaigi.org";
 add_header x-rk-ghp "fi=\"$upstream_http_x_fastly_request_id\",fs=\"$upstream_http_x_served_by\",ghi=\"$upstream_http_x_github_request_id\",cache=\"$upstream_http_x_cache\",cache-hits=\"$upstream_http_x_cache_hits\"";
 
diff --git a/config/nginx.conf.erb b/config/nginx.conf.erb
@@ -91,6 +91,8 @@ http {
 
   rewrite_log <%= ENV.fetch("REWRITE_LOG", 'off') %>;
 
+  add_header_inherit merge;
+
   server {
     listen <%= ENV.fetch("PORT") %> default_server;
     server_name <%= primary_host %> localhost;
@@ -210,10 +212,14 @@ http {
     server_name regional.rubykaigi.org;
 
     set $csp_policy "";
+    set $csp_policy_report "";
     if ($http_x_forwarded_proto = "https") {
-      set $csp_policy "default-src https: 'self' 'unsafe-inline' 'unsafe-eval'; report-uri https://<%= primary_host %>/_csp";
+      set $csp_policy "upgrade-insecure-requests; frame-ancestors 'none'; default-src https:";
+      set $csp_policy_report "default-src https:; report-uri https://<%= primary_host %>/_csp";
     }
-    add_header Content-Security-Policy-Report-Only "$csp_policy";
+    add_header X-Content-Type-Options "nosniff";
+    add_header Content-Security-Policy "$csp_policy";
+    add_header Content-Security-Policy-Report-Only "$csp_policy_report";
 
     location ~ ^/oedo02(.*) {
       return 301 https://magazine.rubyist.net/articles/0039/0039-MetPragdaveAtAsakusarb.html;
@@ -495,21 +501,28 @@ http {
     server_name rubykaigi.org;
 
     set $csp_policy "";
+    set $csp_policy_report "";
     if ($http_x_forwarded_proto = "https") {
-      set $csp_policy "default-src https: 'self' 'unsafe-inline' 'unsafe-eval'; report-uri https://<%= primary_host %>/_csp";
+      set $csp_policy "frame-ancestors 'none'; default-src https:";
+      set $csp_policy_report "default-src https:; report-uri https://<%= primary_host %>/_csp";
     }
-    add_header Content-Security-Policy-Report-Only "$csp_policy";
+    add_header X-Content-Type-Options "nosniff";
+    add_header Strict-Transport-Security "max-age=31536000";
+    add_header Content-Security-Policy "$csp_policy";
+    add_header Content-Security-Policy-Report-Only "$csp_policy_report";
 
-    location ~ ^/200[6-9] {
+    location ~ ^/20(0[6-9]|1[0-5])(.*) {
         include force_https.conf;
         include github_pages.conf;
         proxy_hide_header Cache-Control;
         proxy_hide_header Expires;
+        # 2015 sites and prior had mixed content issues
+        set $csp_policy "upgrade-insecure-requests; frame-ancestors 'none'; default-src https:";
         add_header Cache-Control "public, max-age=604800, s-maxage=31536000";
         proxy_pass https://2009-2011.rubykaigi.org;
     }
 
-    location ~ ^/201[0-9](.*) {
+    location ~ ^/201[6-9](.*) {
         include force_https.conf;
         include github_pages.conf;
         proxy_hide_header Cache-Control;
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -0,0 +1,11 @@
+services:
+  nginx:
+    build: .
+    ports:
+      - "127.0.0.1::8080"
+    develop:
+      watch:
+        - action: rebuild
+          path: .
+          ignore:
+            - tmp/
diff --git a/spec/regional_rubykaigi_org_spec.rb b/spec/regional_rubykaigi_org_spec.rb
@@ -72,13 +72,21 @@
 
         describe "/#{subdir}/" do
           let(:res) { http_get("https://regional.rubykaigi.org/#{subdir}/") }
+
           it "returns ok" do
             #pending 'kanrk05.herokuapp.com is down' if path == '/kansai05/'
             #pending 'http://rubykaigi-hamamatsu.s3-website-ap-northeast-1.amazonaws.com/hamamatsu01/ returns C-T:application/javascript' if path == '/hamamatsu01/'
             #pending 'asakusa.github.io returns 301 (#110)' if path == '/oedo10/'
             expect(res.code).to eq("200")
             expect(res["content-type"]).to include("text/html")
           end
+
+          it "has minimum security headers, but no hsts" do
+            expect(res["content-security-policy"]).to include("default-src https:")
+            expect(res["content-security-policy"]).to include("upgrade-insecure-requests")
+            expect(res["x-content-type-options"]).to eq("nosniff")
+            expect(res["strict-transport-security"]).to be_nil
+          end
         end
       end
     end
diff --git a/spec/rubykaigi_org_spec.rb b/spec/rubykaigi_org_spec.rb
@@ -1,7 +1,22 @@
 require_relative "./spec_helper"
 
 describe "http://rubykaigi.org" do
-  let(:latest_year) { "2026" }
+  LATEST_YEAR = "2026"
+  HOSTED_YEARS = [
+    *(2006..2020),
+    '2020-takeout',
+    '2021-takeout',
+    *(2022..LATEST_YEAR.to_i),
+  ].map(&:to_s).freeze
+
+  let(:latest_year) { LATEST_YEAR }
+
+  describe "meta: HOSTED_YEARS" do
+    subject { HOSTED_YEARS }
+    it { is_expected.to include(latest_year.to_s) }
+  end
+
+
 
   describe "(https) /" do
     let(:res) { http_get("https://rubykaigi.org/") }
@@ -128,13 +143,6 @@
     end
   end
 
-  HOSTED_YEARS = [
-    *(2006..2020),
-    '2020-takeout',
-    '2021-takeout',
-    *(2022..2023),
-  ]
-
   describe "force_https" do
     HOSTED_YEARS.each do |year|
       describe "/#{year}" do
@@ -177,6 +185,31 @@
     end
   end
 
+  describe "security headers" do
+    HOSTED_YEARS.each do |year|
+      describe "/#{year}/" do
+        let(:res) { http_get("https://rubykaigi.org/#{year}/") }
+        it "returns security header" do
+          expect(res["content-security-policy-report-only"]).to include("default-src https:")
+          expect(res["content-security-policy"]).to include("frame-ancestors 'none'")
+          expect(res["x-content-type-options"]).to eq("nosniff")
+          expect(res["strict-transport-security"]).to include("max-age=")
+        end
+      end
+    end
+
+    (2006..2015).each do |year|
+      describe "/#{year}/" do
+        let(:res) { http_get("https://rubykaigi.org/#{year}/") }
+        it "returns security header" do
+          expect(res["content-security-policy"]).to include("default-src https:")
+          expect(res["content-security-policy"]).to include("upgrade-insecure-requests")
+        end
+      end
+    end
+  end
+
+
   HOSTED_YEARS.each do |year|
     describe "/#{year}/" do
       let(:res) { http_get("https://rubykaigi.org/#{year}/") }
