feat(infra): restreint le access-control-allow-policy, les permissions-policy...

feat(infra): restreint le access-control-allow-policy, les permissions-policy et les x-content-type-options (#1161)

feat(infra): restreint le access-control-allow-policy, les permissions-policy...
fe477f22 · BITARD Michaël · GitHub · 276b0868 · fe477f22 · fe477f22
Unverified Commit fe477f22 authored 1 year ago by BITARD Michaël Committed by GitHub 1 year ago
--- a/packages/api/src/index.ts
+++ b/packages/api/src/index.ts
@@ -68,7 +68,7 @@ databaseInit(pool).then(() => {
    },
  })

-  app.use(cors({ credentials: true, exposedHeaders: ['Content-disposition'] }), compression(), limiter, authJwt, authBasic, userLoader, cookieParser(), connectedCatcher)
+  app.use(cors({ origin: false, credentials: true, exposedHeaders: ['Content-disposition'] }), compression(), limiter, authJwt, authBasic, userLoader, cookieParser(), connectedCatcher)

  // Le Timeout du sse côté frontend est mis à 45 secondes, on envoie un ping toutes les 30 secondes
  const ssePingDelayInSeconds = 30

--- a/ui_nginx_headers.conf
+++ b/ui_nginx_headers.conf
@@ -2,5 +2,6 @@ add_header Content-Security-Policy "worker-src blob: ; child-src blob: ;default-
 add_header X-Frame-Options "DENY";
 add_header X-Content-Type-Options "nosniff";
 add_header X-XSS-Protection "1; mode=block";
-add_header Access-Control-Allow-Origin "*";
-add_header Referrer-Policy "same-origin";
\ No newline at end of file
+add_header Referrer-Policy "same-origin";
+add_header Permissions-Policy "accelerometer=(), attribution-reporting=(), autoplay=(), browsing-topics=(), camera=(), ch-device-memory=(), ch-downlink=(), ch-dpr=(), ch-ect=(), ch-prefers-color-scheme=(), ch-prefers-reduced-motion=(), ch-prefers-reduced-transparency=(), ch-rtt=(), ch-save-data=(), ch-ua=(), ch-ua-arch=(), ch-ua-bitness=(), ch-ua-form-factor=(), ch-ua-full-version=(), ch-ua-full-version-list=(), ch-ua-mobile=(), ch-ua-model=(), ch-ua-platform=(), ch-ua-platform-version=(), ch-ua-wow64=(), ch-viewport-height=(), ch-viewport-width=(), ch-width=(), clipboard-read=(), clipboard-write=(), cross-origin-isolated=(), display-capture=(), encrypted-media=(), fullscreen=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), identity-credentials-get=(), idle-detection=(), interest-cohort=(), join-ad-interest-group=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), midi=(), otp-credentials=(), payment=(), picture-in-picture=(), private-aggregation=(), private-state-token-issuance=(), private-state-token-redemption=(), publickey-credentials-get=(), run-ad-auction=(), screen-wake-lock=(), serial=(), shared-storage=(), shared-storage-select-url=(), storage-access=(), sync-xhr=(), unload=(), usb=(), window-management=(), xr-spatial-tracking=()";
+add_header X-Content-Type-Options "nosniff";