Previous listings does not include implementation of CSP. This particular security header itself required more source code than all the others headers. Listing 7 presents CSP which limits allowed external scripts which can be executed in the application. The short comments inform for which integrated technology it is required, whilst the others are self-explanatory.
1 import * as e x p r e s s from ’ e x p r e s s ’;
2 import { E x p r e s s } from ’ e x pr e s s ’;
3 const helmet = r e q u i r e (’ helmet ’) ;
4 5 const e x p r e s s A p p : E x p r e s s = e x p r e s s () ; // Create E x p r e s s i n s t a n c e . 6 7 e x p r e s s A p p . use ( 8 helmet . c o n t e n t S e c u r i t y P o l i c y ({ 9 b r o w s e r S n i f f : false, // D i s a b l e b r o w s e r s n i f f i n g . 10 d i r e c t i v e s : {
11 b a s e U r i : [" ’ self ’"] , // R e s t r i c t s use of the " < base >" tag to origin ( w i t h o u t s u b d o m a i n s ) . This d i r e c t i v e doesn ’t use " default - src " as fallback , thus by d e f a u l t it allows a n y t h i n g .
12 b l o c k A l l M i x e d C o n t e n t : true, // P r e v e n t l o a d i n g any assets using HTTP when the page is loaded using HTTPS .
13 c h i l d S r c : [
14 " ’ self ’", // D e f a u l t policy for valid s o u r c e s for web w o r k e r s and nested b r o w s i n g c o n t e x t s loaded using e l e m e n t s such as " < frame >" and " < iframe >": allow all c o n t e n t coming from origin ( w it h o u t s u b d o m a i n s ) .
15 ’ https :// vars . hotjar . com ’ // Hotjar .
16 ] ,
17 c o n n e c t S r c : [
18 " ’ self ’", // D e f a u l t policy for r e s t r i c t i n g the URLs which can be loaded using script i n t e r f a c e s : allow all c o n t e n t coming from origin ( w i t h o u t s u b d o m a i n s ) .
19 ’ https :// agastya - v e r s i o n . o s w a l d l a b s . com ’, // A g as t y a .
20 ’ https :// f i r e b a s e s t o r a g e . g o o g l e a p i s . com ’, // Cloud S t o r a g e for F i r e b a s e .
21 ’ https :// f i r e s t o r e . g o o g l e a p i s . com ’, // Cloud F i r e s t o r e .
22 ’ https :// platform - beta . o s w a l d l a b s . com ’, // A g a s t y a .
23 ’ https :// www . google - a n a l y t i c s . com ’, // U n i v e r s a l A n a l y t i c s ( Google A n a l y t i c s ) .
24 ’ https ://*. hotjar . com :* ’, // Hotjar .
25 ’ https :// vc . hotjar . io :* ’, // Hotjar .
26 ’ wss ://*. hotjar . com ’ // Hotjar .
27 ] ,
28 d e f a u l t S r c : [
29 " ’ none ’" // D e f a u l t policy for f a l l b a c k for the other CSP fetch d i r e c t i v e s [ Link of these : https :// d e v e l o p e r . m o z i l l a . org / en - US / docs / Web / HTTP / H e a d e r s / Content - Security - Policy / default - src ]: d i s a l l o w s e v e r y t h i n g .
30 ] ,
31 f o n t S r c : [
32 " ’ self ’", // D e f a u l t policy for s p e c i f i y i n g valid s o u r c e s for fonts loaded using " @font - face ": allow all c o n te n t coming from or igin ( w i t h o u t s u b d o m a i n s ) .
33 ’ https :// fonts . g s t a t i c . com ’, // Google Fonts .
34 ’ https :// script . hotjar . com ’ // Hotjar .
35 ] ,
36 f o r m A c t i o n : [" ’ self ’"] , // D e f a u l t policy for r e s t r i c t i n g the URLs which can be used as the target of a form s u b m i s s i o n s from a giv en c o n t e x t : allow all c o n t e n t coming from origin ( w i t h o u t s u b d o m a i n s ) .
5. IMPLEMENTATION Master of Science in Technology Thesis
This d i r e c t i v e doesn ’t use " default - src " as fallback , thus by d e f a u l t it allows a n y t h i n g .
37 f r a m e A n c e s t o r s : [" ’ self ’"] , // D e f a u l t policy for s p e c y f i n g valid p a r e n t s that may embed a page using " < frame >" , " < iframe >" , " < object >" , " < embed >" , or " < applet >". This d i r e c t i v e doesn ’t use " default - src " as fallback , thus by d e f a u l t it allows a n y t h i n g . This is b a s i c a l l y c l i c k j a c k i n g p r o t e c t i o n .
38 f r a m e S r c : [
39 " ’ self ’", // D e f a u l t policy for s p e c y f i n g valid s ou r c e s for nested b r o w s i n g c o n t e x t s l o a d i n g using e l e m e n t s such as " < frame >" and " < iframe >": allow all c o n te n t coming from origin ( w i t h o u t s u b d o m a i n s ) .
40 ’ https :// agastya - v e r s i o n . o s w a l d l a b s . com ’, // A g as t y a .
41 ’ https :// vars . hotjar . com ’, // Hotjar .
42 ’ https :// www . google . com ’ // r e C A P T C H A .
43 ] ,
44 imgSrc : [
45 " ’ self ’", // D e f a u l t policy for s p e c y f i n g valid s ou r c e s of images and f a v i c o n s : allow all c o n t e n t coming from origin ( w i t h o u t
s u b d o m a i n s ) .
46 ’ https :// www . google - a n a l y t i c s . com ’, // U n i v e r s a l A n a l y t i c s ( Google A n a l y t i c s ) .
47 ’ https :// www . g o o g l e t a g m a n a g e r . com ’, // Google Tag M a n a g e r .
48 ’ https :// www . google . com ’, // r e C A P T C H A .
49 ’ https :// script . hotjar . com ’ // Hotjar .
50 ] ,
51 m a n i f e s t S r c : [" ’ self ’"] , // D e f a u l t policy for s p e c y f i n g which m a n i f e s t can be a p p l i e d to the r e s o u r c e : allow all c o n t e n t coming from origin ( w i t h o u t s u b d o m a i n s ) .
52 o b j e c t S r c : [" ’ none ’"] , // D e f a u l t policy for s p e c y f i n g valid s o u r c e s for the " < object >" , " < embed >" , and " < applet >" e l e m e n t s . It also i n f l u e n c e s " p l u g i n T y p e " by d i s a l l o w i n g all of them . The " p l u g i n T y p e "
d i r e c t i v e doesn ’t use " default - src " as fallback , thus by d e f a u l t it allows a n y t h i n g .
53 s c r i p t S r c : [
54 " ’ self ’", // D e f a u l t policy for valid s o u r c e s for J a v a S c r i p t : allow all c o n t e n t coming from origin ( w i t h o u t s u b d o m a i n s ) .
55 " ’ unsafe - eval ’", // Unsecure , but r e q u i r e d due to A n g u l a r ’s SSR .
56 ’ https :// agastya - v e r s i o n . o s w a l d l a b s . com ’, // A g as t y a .
57 ’ https :// d i t e c t r e v . us15 . list - manage . com ’, // M a i l C h i m p .
58 ’ https :// p l a t f o r m . o s w a l d l a b s . com ’, // A g a s t y a .
59 ’ https :// platform - beta . o s w a l d l a b s . com ’, // A g a s t y a .
60 ’ https :// script . hotjar . com ’, // Hotjar .
61 ’ https :// static . hotjar . com ’, // Hotjar .
62 ’ https :// ssl . google - a n a l y t i c s . com ’, // U n i v e r s a l A n a l y t i c s ( Google A n a l y t i c s ) .
63 ’ https :// www . google - a n a l y t i c s . com ’, // U n i v e r s a l A n a l y t i c s ( Google A n a l y t i c s ) .
64 ’ https :// www . g o o g l e t a g m a n a g e r . com ’, // Google Tag M a n a g e r .
65 ’ https :// www . google . com ’, // r e C A P T C H A .
66 ’ https :// www . g s t a t i c . com ’ // r e C A P T C H A .
67 ] ,
68 s t y l e S r c : [
69 " ’ self ’", // D e f a u l t policy for valid s o u r c e s for s t y l e s h e e t s : allow all c o n t e n t coming from origin ( w i t h o u t s u b d o m a i n s ) .
70 " ’ unsafe - inline ’", // Unsecure , but r e q u i r e d in order to render styles g e n e r a t e d by A n g u l a r compiler , which on SSR are g e n e r a t e d as inline styles .
71 ’ https :// fonts . g o o g l e a p i s . com ’ // Google Fonts .
5. IMPLEMENTATION Master of Science in Technology Thesis
73 u p g r a d e I n s e c u r e R e q u e s t s : true // Block l o a d i n g of active / p a s s i v e c o n t e n t over i n s e c u r e FTP / HTTP by " u p g r a d i n g " the c o n n e c t i o n to secure SFTP / HTTPS .
74 }
75 })
76 ) ;
Listing 7: CSP for developed application.