jaspermayone.com / boxcar
My opinionated ruby on rails template
0
fork

Configure Feed

Select the types of activity you want to include in your feed.

Remove strict CSP policy - make it optional and disabled by default

Co-authored-by: jaspermayone <65788728+jaspermayone@users.noreply.github.com>

copilot-swe-agent[bot] 5e9191b6 fd467644

+39 -36
+1 -1
README.md
··· 65 65 - **BlindIndex** — Search encrypted fields without decryption 66 66 - **InvisibleCaptcha** — Honeypot spam protection 67 67 - **Strong Migrations** — Prevents dangerous migrations in production 68 - - **CSP & CORS** — Content Security Policy and cross-origin headers 68 + - **CSP & CORS** — Optional Content Security Policy (disabled by default) and cross-origin headers 69 69 - **Security Scanning** — Bundler-audit and Brakeman in CI 70 70 71 71 ### Admin Dashboards
+38 -35
modules/csp.rb
··· 5 5 gem 'rack-cors' 6 6 # bundler-audit included by Rails 8 7 7 8 - say ' Configuring Content Security Policy...', :cyan 8 + say ' Skipping strict Content Security Policy (configured as permissive)...', :cyan 9 9 initializer 'content_security_policy.rb', <<~RUBY 10 10 # frozen_string_literal: true 11 11 12 - # Define an application-wide content security policy 12 + # Content Security Policy (CSP) is disabled by default for flexibility. 13 + # Uncomment and configure the policy below if you need stricter security controls. 13 14 # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy 14 15 15 - Rails.application.configure do 16 - config.content_security_policy do |policy| 17 - policy.default_src :self 18 - policy.font_src :self, :data, 'https://fonts.gstatic.com' 19 - policy.img_src :self, :data, :blob 20 - policy.object_src :none 21 - policy.script_src :self 22 - policy.style_src :self, :unsafe_inline, 'https://fonts.googleapis.com' 23 - policy.frame_ancestors :self 24 - policy.base_uri :self 25 - policy.form_action :self 26 - 27 - # Allow connections to same origin and websockets 28 - policy.connect_src :self, :wss 29 - 30 - # Report violations to your error tracking service 31 - # policy.report_uri '/csp-report' 32 - end 33 - 34 - # Generate nonce for inline scripts/styles 35 - # Use <%= csp_meta_tag %> in your layout and 36 - # <%= javascript_tag nonce: true %> for inline scripts 37 - config.content_security_policy_nonce_generator = ->(request) { request.session.id.to_s } 38 - config.content_security_policy_nonce_directives = %w[script-src style-src] 39 - 40 - # Report CSP violations without enforcing (useful for rollout) 41 - # config.content_security_policy_report_only = true 42 - end 16 + # Rails.application.configure do 17 + # config.content_security_policy do |policy| 18 + # policy.default_src :self 19 + # policy.font_src :self, :data, 'https://fonts.gstatic.com' 20 + # policy.img_src :self, :data, :blob 21 + # policy.object_src :none 22 + # policy.script_src :self 23 + # policy.style_src :self, :unsafe_inline, 'https://fonts.googleapis.com' 24 + # policy.frame_ancestors :self 25 + # policy.base_uri :self 26 + # policy.form_action :self 27 + # 28 + # # Allow connections to same origin and websockets 29 + # policy.connect_src :self, :wss 30 + # 31 + # # Report violations to your error tracking service 32 + # # policy.report_uri '/csp-report' 33 + # end 34 + # 35 + # # Generate nonce for inline scripts/styles 36 + # # Use <%= csp_meta_tag %> in your layout and 37 + # # <%= javascript_tag nonce: true %> for inline scripts 38 + # config.content_security_policy_nonce_generator = ->(request) { request.session.id.to_s } 39 + # config.content_security_policy_nonce_directives = %w[script-src style-src] 40 + # 41 + # # Report CSP violations without enforcing (useful for rollout) 42 + # # config.content_security_policy_report_only = true 43 + # end 43 44 RUBY 44 45 45 46 say ' Configuring CORS...', :cyan ··· 83 84 } 84 85 RUBY 85 86 86 - say ' Adding CSP meta tag to layout...', :cyan 87 - inject_into_file 'app/views/layouts/application.html.erb', after: "<%= csrf_meta_tags %>\n" do 88 - " <%= csp_meta_tag %>\n" 89 - end 87 + say ' Skipping CSP meta tag (CSP is disabled by default)...', :cyan 88 + # CSP meta tag is not added since CSP is disabled by default 89 + # Uncomment below if you enable CSP in the initializer 90 + # inject_into_file 'app/views/layouts/application.html.erb', after: "<%= csrf_meta_tags %>\n" do 91 + # " <%= csp_meta_tag %>\n" 92 + # end 90 93 91 94 say 'Security hardening configured!', :green 92 - say ' CSP headers enabled (review policy for your needs)', :cyan 95 + say ' CSP headers disabled by default (review initializer to enable)', :cyan 93 96 say ' CORS configured for API routes', :cyan 94 97 say ' Run `bundle audit` to check for vulnerabilities', :yellow