Rework CSP config

[djbe]

Rework some systems to allow for ENV based configuration:

• Frame options
• Content security policy

This lets us control such things using ENV injection via the Infra repo (so Sysops will control this). I've also added support for configuring part of the CSP via a settings file embedded in the Docker image.

⚠️ Yes this IS a breaking change in the sense that the -unsecured images will disappear, or at least no longer be updated. We can pre-emptively add the vars we want as mentioned below, and change the repositories that use unsecured (there are a bunch of them)

Config via ENV

See the Readme for the list of supported ENV keys. Those of note are:

• NGINX_CSP_MODE: Defaults to report-only, set it to enforce to enable enforcement.
• NGINX_CSP_REPORT_URI: send reports to (e.g.) Sentry.
• NGINX_FRAME_OPTIONS: Defaults to deny, controls the old X-Frame-Options header. Set to disable to remove it completely.

Config via defaults

The same keys (well, most of) can be set via a defaults file located at /etc/csp-generator/default. The contents of it should look like (note the quotes where needed):

SCRIPT_SRC="'self' 'unsafe-inline' https:://mysite.com"
STYLE_SRC="'self' https://css.mysite.com"

Such a file could be placed there with the following in a Dockerfile (TBD, not final filenames):

COPY --from=build /app/.csp-config /etc/csp-generator/default

Default configuration

The provided defaults are VERY limited. The generated headers will be (equivalent to):

X-Frame-Options: deny
Content-Security-Policy: default-src 'self';

This CSP would barely allow anything, only connecting to itself, loading from itself, etc…. Existing applications WILL break with this setup.

Quick unsecure setup

Values for easy "allow everything" (i.e. any HTTPS url, choose what you actually need):

NGINX_FRAME_OPTIONS=disable
NGINX_CSP_MODE=report-only

# optional
NGINX_CSP_CHILD_SRC="'self' data: blob: https:"
NGINX_CSP_CONNECT_SRC="'self' data: blob: https:"
NGINX_CSP_FONT_SRC="'self' https:"
NGINX_CSP_FRAME_ANCESTORS="'self' https:"
NGINX_CSP_FRAME_SRC="'self' https:"
NGINX_CSP_IMG_SRC="'self' data: blob: https:"
NGINX_CSP_MANIFEST_SRC="'self' data: blob: https:"
NGINX_CSP_MEDIA_SRC="'self' https:"
NGINX_CSP_OBJECT_SRC="'self' https:"
NGINX_CSP_SCRIPT_SRC="'self' 'unsafe-inline' 'unsafe-eval' data: blob: https:"
NGINX_CSP_STYLE_SRC="'self' 'unsafe-inline' https:"
NGINX_CSP_WORKER_SRC="'self' data: blob: https:"

[djbe]

Initial intention would be to set the CSP:

• To secure (default) on dev & test
• Report only on staging & production
• Try to link it with Sentry using the report-url (see project settings > sdk setup > security headers > CSP, looks like https://sentry.appwi.se/api/347/security/?sentry_key=…)

This way we don't break anything for clients/users, but DO force our developers to deal with CSP issues ASAP.

[djbe]

I've switched the default mode to report-only for now, to ease deployment. We'll switch this to "enforce" by default at a later date, once it's been set in all infra repo's