Merge pull request #2098 from MTES-MCT/feature/1952-security-csp

[Sécurité] Ajout en-têtes de sécurité manquantes dont la CSP
MTES-MCT · Jan 12, 2024 · fc02a9f · fc02a9f
2 parents a289045 + b3d3bd2
commit fc02a9f
Show file tree

Hide file tree

Showing 4 changed files with 23 additions and 15 deletions.
diff --git a/.env b/.env
@@ -48,6 +48,7 @@ MATOMO_SITE_ID=1
 ZAPIER_OILHI_TOKEN=
 ZAPIER_OILHI_USER_ID=
 ZAPIER_OILHI_CREATE_AIRTABLE_RECORD_ZAP_ID=
+SECURITY_CSP_HEADER_VALUE="default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.matomo.cloud https://unpkg.com; style-src 'self' 'unsafe-inline' https://unpkg.com; img-src 'self' data: blob: https://voxusagers.numerique.gouv.fr https://*.tile.openstreetmap.org https://unpkg.com https://jedonnemonavis.numerique.gouv.fr; connect-src 'self' https://api-adresse.data.gouv.fr https://cdn.matomo.cloud https://koumoul.com; font-src 'self';"
 
 ### histologe ###
 

diff --git a/.env.sample b/.env.sample
@@ -34,6 +34,7 @@ MATOMO_SITE_ID=1
 ZAPIER_OILHI_TOKEN=
 ZAPIER_OILHI_ID=
 ZAPIER_OILHI_CREATE_AIRTABLE_RECORD_ZAP_ID=
+SECURITY_CSP_HEADER_VALUE="default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.matomo.cloud https://unpkg.com; style-src 'self' 'unsafe-inline' https://unpkg.com; img-src 'self' data: blob: https://voxusagers.numerique.gouv.fr https://*.tile.openstreetmap.org https://unpkg.com https://jedonnemonavis.numerique.gouv.fr; connect-src 'self' https://api-adresse.data.gouv.fr https://cdn.matomo.cloud https://koumoul.com; font-src 'self';"
 
 ###> knplabs/knp-snappy-bundle ###
 WKHTMLTOPDF_PATH=wkhtmltopdf

diff --git a/.scalingo/nginx/server.location b/.scalingo/nginx/server.location
@@ -1,5 +1,13 @@
 add_header X-Frame-Options "deny";
+add_header X-Content-Type-Options: nosniff;
+add_header X-XSS-Protection "1; mode=block";
 
+# Traitement des images sans le paramètre uuid dans l'URL pour un usager
+location ~* ^/_up/.*\.(jpg|jpeg|png)$ {
+    try_files $uri /index.php$is_args$args;
+}
+
+# Traitement des images avec le paramètre uuid dans l'URL pour un utilisateur
 location ~* ^/_up/.*\.(jpg|jpeg|png)/.*$ {
     try_files $uri /index.php$is_args$args;
 }

diff --git a/public/index.php b/public/index.php
@@ -1,15 +1,13 @@
-<?php
-
-use App\Kernel;
-
-require_once dirname(__DIR__).'/vendor/autoload_runtime.php';
-
-return function (array $context) {
-    /*dump($_SERVER['REMOTE_ADDR']);*/
-/*    if($_SERVER['REMOTE_ADDR'] === '37.165.161.217')
-    {
-        $context['APP_ENV'] = 'dev';
-        $context['APP_DEBUG'] = true;
-    }*/
-    return new Kernel($context['APP_ENV'], (bool) $context['APP_DEBUG']);
-};
+<?php
+
+use App\Kernel;
+
+require_once dirname(__DIR__).'/vendor/autoload_runtime.php';
+
+return function (array $context) {
+    if (null !== $csp = $_SERVER['SECURITY_CSP_HEADER_VALUE'] ?? null) {
+        header('Content-Security-Policy: '.$csp);
+    }
+
+    return new Kernel($context['APP_ENV'], (bool) $context['APP_DEBUG']);
+};