Merge pull request #338 from nemozak1/develop

Add Content Security Policy Headers
2026-02-06 13:16:52 +00:00 · 2023-11-06 17:48:45 +01:00 · 2023-11-06 17:48:45 +01:00 · 1f95eb1123
commit 1f95eb1123
parent 0668febbd0 6812c95077
5 changed files with 50 additions and 7 deletions
--- a/apimanager/apimanager/settings.py
+++ b/apimanager/apimanager/settings.py
@ -77,6 +77,7 @@ INSTALLED_APPS = [

 MIDDLEWARE = [
    # 'django.middleware.cache.UpdateCacheMiddleware',
+    'csp.middleware.CSPMiddleware',
    'django.middleware.security.SecurityMiddleware',
    'django.contrib.sessions.middleware.SessionMiddleware',
    'django.middleware.locale.LocaleMiddleware',
@ -88,6 +89,20 @@ MIDDLEWARE = [
    # 'django.middleware.cache.FetchFromCacheMiddleware',
 ]

+# Content Security Policy - External Urls for scripts, styles, and images should be included here
+#TODO these outside scripts should really just be loaded when we run "manage.py collectstatic"
+# Or the whole static folder could be uploaded to github, this prevents API manager breaking when
+# we run it on a server that may not connect to these sites
+
+# Inline styles loaded by jsoneditor.min.js have been allowed by adding their hashes to CSP_STYLE_SRC
+
+CSP_IMG_SRC = ("'self' data:", 'https://static.openbankproject.com')
+CSP_STYLE_SRC = ("'self' 'sha256-z2a+NIknPDE7NIEqE1lfrnG39eWOhJXWsXHYGGNb5oU=' 'sha256-Dn0vMZLidJplZ4cSlBMg/F5aa7Vol9dBMHzBF4fGEtk=' 'sha256-sA0hymKbXmMTpnYi15KmDw4u6uRdLXqHyoYIaORFtjU=' 'sha256-jUuiwf3ITuJc/jfynxWHLwTZifHIlhddD8NPmmVBztk=' 'sha256-RqzjtXRBqP4i+ruV3IRuHFq6eGIACITqGbu05VSVXsI='", 'https://cdnjs.cloudflare.com', )
+CSP_SCRIPT_SRC = ("'self' 'sha256-4Hr8ttnXaUA4A6o0hGi3NUGNP2Is3Ep0W+rvm+W7BAk=' 'sha256-GgQWQ4Ejk4g9XpAZJ4YxIgZDgp7CdQCmqjMOMh9hD2g=' 'sha256-05NIAwVBHkAzKcXTfkYqTnBPtkpX+AmQvM/raql3qo0='", 'http://code.jquery.com', 'https://stackpath.bootstrapcdn.com/bootstrap/3.4.1/', 'https://cdnjs.cloudflare.com')
+CSP_FONT_SRC = ("'self'", 'http://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/fonts/') 
+CSP_FRAME_ANCESTORS = ("'self'")
+CSP_FORM_ACTION = ("'self'")
+
 #cache the view page, we set 60s = 1m,
 # CACHE_MIDDLEWARE_SECONDS = 60

@ -123,7 +138,8 @@ TEMPLATES = [
                'base.context_processors.api_tester_url',
                'base.context_processors.portal_page',
                'base.context_processors.logo_url',
-                'base.context_processors.override_css_url'
+                'base.context_processors.override_css_url',
+                'csp.context_processors.nonce'
            ],
        },
    },
--- a/apimanager/base/static/css/base.css
+++ b/apimanager/base/static/css/base.css
@ -31,6 +31,9 @@ footer a:hover, .footer a:focus {
 	color: #fff;
 }

+.footer-content-wrapper {
+	cursor:pointer;
+}

 .navbar-brand img {
 	height: 20px;
@ -74,6 +77,20 @@ footer a:hover, .footer a:focus {
 	margin-top: -6px;
 }

+.navbar-inner {
+	margin-left:15% !important;
+}
+
+.navbar-nav {
+	margin-left:8rem;
+}
+
+.obp-home-button {
+	position:absolute;
+	margin-left: -70px !important;
+	top:-5px;
+}
+
 /*.dropdown-menu > .active > a, .dropdown-menu > .active > a:hover, .dropdown-menu > .active > a:active {*/
    /*background-color: #53c4ef;*/
 /*}*/
@ -211,6 +228,12 @@ table.tablesorter thead tr .headerSortDown, table.tablesorter thead tr .headerSo
    margin-left:5rem;
    text-decoration: none !important;
 }
+
+.language-select > a {
+	color:#fff;
+	text-decoration: none !important;
+}
+
 #uk {
    cursor:pointer;
 }
--- a/apimanager/base/templates/base.html
+++ b/apimanager/base/templates/base.html
@ -19,7 +19,7 @@

 <body>
        <nav class="navbar navbar-default navbar-fixed-top" role="navigation">
-            <div style="margin-left:15% !important;">
+            <div class="navbar-inner">
                <div class="navbar-header">
                    <button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#navbar" aria-expanded="false" aria-controls="navbar">
 						<span class="sr-only">Toggle navigation</span>
@ -29,8 +29,8 @@
 					</button>
                </div>
                <div id="navbar" class="collapse navbar-collapse">
-                    <ul class="nav navbar-nav" style="margin-left:8rem">
-                        <li> <a href="{% url 'home' %}" style="position:absolute; margin-left: -70px !important; top:-5px"><img src="{{ logo_url }}" alt="brand"></a></li>
+                    <ul class="nav navbar-nav">
+                        <li> <a class="obp-home-button" href="{% url 'home' %}"><img src="{{ logo_url }}" alt="brand"></a></li>
                        <li><a href="{{ API_PORTAL }}">{% trans "Home" %}</a></li>
                        {% url "consumers-index" as consumers_index_url %}
                        <li {% if consumers_index_url in request.path %} class="active" {% endif %}><a href="{{ consumers_index_url }}">{% trans "Consumers" %}</a></li>
@ -107,7 +107,7 @@
                                <p class="navbar-right button-select"><span id="navbar-login-username">{{API_USERNAME}}</span>&nbsp;&nbsp;<a href="/logout" class="btn btn-default">{% trans "Logout" %} </a></p>
                                {% endif %}
                            </li>
-                        <li class="language-select language_underline_format"><a style="color:#fff; text-decoration: none !important;">Language
+                        <li class="language-select language_underline_format"><a>Language
                            <span id="gb">EN</span>
                            |
                            <span id="es">ES</span></a></li>
@ -128,7 +128,7 @@
    {% endif %}
        <div class="container" id="body-container">
            {% block content %}{% endblock content %}
-            <div class="footer-content-wrapper" data-lift="WebUI.homePage" style="cursor:pointer">
+            <div class="footer-content-wrapper" data-lift="WebUI.homePage">
            </div>
        </div>
    <footer>
--- a/apimanager/customers/static/customers/css/customers.css
+++ b/apimanager/customers/static/customers/css/customers.css
@ -6,3 +6,7 @@ input#id_kyc_status {
    width: auto;
    margin: -4px 0;
 }
+
+.displaynone {
+    display:none;
+}
--- a/apimanager/customers/templates/customers/create.html
+++ b/apimanager/customers/templates/customers/create.html
@ -96,7 +96,7 @@
                    {{ form.date_of_birth_date }}
                </div>
            </div>
-            <div class="col-xs-12 col-sm-4" style="display:none">
+            <div class="col-xs-12 col-sm-4 displaynone">
                {% if form.date_of_birth_time.errors %}<div class="alert alert-danger">{{ form.date_of_birth_time.errors }}</div>{% endif %}
                <div class="form-group">
                    {{ form.date_of_birth_time.label_tag }}