Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(repo): add stricter headers to network requests Refs BFE-449 #300

Open
wants to merge 6 commits into
base: v2
Choose a base branch
from
Open

feat(repo): add stricter headers to network requests Refs BFE-449 #300

wants to merge 6 commits into from
+233 −144

Conversation

BrownBrownBear
Copy link
Contributor

So I've added headers in three different places.

  • In the nextjs middleware which is recommended for nextjs apps. However, I found that calls we were using in berajs weren't respecting these headers being applied. They're also a bit loose where for the content security policy so I'll just breakdown each one here:
default-src 'self' https: http:    // Allows loading resources from same origin and any HTTPS/HTTP source
script-src 'self'                  // Allows JavaScript from:
         'unsafe-inline'           // - Inline scripts (needed for dynamic)
         'unsafe-eval'             // - eval() and similar functions
         https://*.vercel-scripts.com  // - Vercel scripts
         https://*.hotjar.com      // - Hotjar analytics
style-src 'self' 'unsafe-inline'   // Allows CSS from same origin and inline styles
img-src 'self' data: https: http:  // Allows images from same origin, data URIs, and any HTTP/HTTPS source
connect-src 'self' https: http: ws: wss:  // Allows connections (fetch, WebSocket, etc.)
  • In the graphql clients. These ones are a bit more strict and apply the recommended headers by halborn.
  • In the wagmi config. This will target all http calls to the rpc endpoint.

@vercel Vercel
Copy link

vercel bot commented Jan 2, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Comments Updated (UTC)
storybook ✅ Ready (Inspect) Visit Preview 💬 Add feedback Jan 13, 2025 1:42am
v2-honey ✅ Ready (Inspect) Visit Preview 💬 Add feedback Jan 13, 2025 1:42am
v2-hub ✅ Ready (Inspect) Visit Preview 💬 Add feedback Jan 13, 2025 1:42am
6 Skipped Deployments
Name Status Preview Comments Updated (UTC)
bartio-dex ⬜️ Ignored (Inspect) Visit Preview Jan 13, 2025 1:42am
bartio-honey ⬜️ Ignored (Inspect) Visit Preview Jan 13, 2025 1:42am
bartio-lend ⬜️ Ignored (Inspect) Visit Preview Jan 13, 2025 1:42am
bartio-perps ⬜️ Ignored (Inspect) Visit Preview Jan 13, 2025 1:42am
bartio-station ⬜️ Ignored (Inspect) Visit Preview Jan 13, 2025 1:42am
berajs-docs ⬜️ Ignored (Inspect) Jan 13, 2025 1:42am

@BrownBrownBear BrownBrownBear force-pushed the BFE-449-Audit-add-security-headers-HAL-01 branch from c778007 to dcd5729 Compare January 8, 2025 19:54
@BrownBrownBear
Copy link
Contributor Author

BrownBrownBear commented Jan 8, 2025
edited
Loading

Nextjs injected scripts with nonce: https://nextjs.org/docs/pages/building-your-application/configuring/content-security-policy
vercel/next.js#54152

Next-Themes script: pacocoursey/next-themes#36

Decided to keep inline-styles just because then we would need stylesheets or tailwind exclusive for all styles we use

@BrownBrownBear BrownBrownBear marked this pull request as draft January 8, 2025 20:20
@BrownBrownBear BrownBrownBear force-pushed the BFE-449-Audit-add-security-headers-HAL-01 branch from 9c0917d to da54ca5 Compare January 8, 2025 20:40
@BrownBrownBear BrownBrownBear force-pushed the BFE-449-Audit-add-security-headers-HAL-01 branch from da54ca5 to 830d9ea Compare January 8, 2025 21:46
@BrownBrownBear BrownBrownBear force-pushed the BFE-449-Audit-add-security-headers-HAL-01 branch from 830d9ea to c6da0cc Compare January 8, 2025 21:54
@BrownBrownBear BrownBrownBear force-pushed the BFE-449-Audit-add-security-headers-HAL-01 branch from c6da0cc to efb6fc1 Compare January 8, 2025 22:09
@BrownBrownBear BrownBrownBear force-pushed the BFE-449-Audit-add-security-headers-HAL-01 branch from a03f776 to 92c7831 Compare January 8, 2025 22:27
@BrownBrownBear BrownBrownBear marked this pull request as ready for review January 9, 2025 00:10
@BrownBrownBear BrownBrownBear force-pushed the BFE-449-Audit-add-security-headers-HAL-01 branch from 1a668a1 to 09abc02 Compare January 9, 2025 18:38
BrownBrownBear
BrownBrownBear commented Jan 9, 2025
View reviewed changes
apps/honey/src/middleware.ts Outdated
};
font-src 'self' https://cdn.jsdelivr.net/npm/@fontsource/;
style-src 'self' 'unsafe-inline';
img-src 'self' data: https://res.cloudinary.com/duv0g402y/ https://raw.githubusercontent.com/berachain/default-lists/ https://assets.coingecko.com/coins/images/ https://iconic.dynamic-static-assets.com/;
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@bearpong they recommended adding specific connections so i've done that here.

bearpong
bearpong requested changes Jan 11, 2025
View reviewed changes
Copy link
Contributor

@bearpong bearpong left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGMT, let's slightly refactor some parts:

  • read env variables to whitelist script-src and other csp headers
  • create a shared file for any repeated code (image patterns and middlewares)

@BrownBrownBear BrownBrownBear force-pushed the BFE-449-Audit-add-security-headers-HAL-01 branch from 09abc02 to c101fa3 Compare January 13, 2025 01:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bearpong bearpong bearpong requested changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@BrownBrownBear @bearpong