Add CSP plugin

- OWASP flagged a minor issue with CSP. Checking if this will fix the issue
2025-02-22 01:31:25 -08:00 · 2022-07-01 10:50:37 -07:00 · 2022-07-01 10:50:37 -07:00 · e571f80008
commit e571f80008
parent e418ebacf4
3 changed files with 36 additions and 0 deletions
--- a/client/gatsby-config.js
+++ b/client/gatsby-config.js
@ -105,5 +105,21 @@ module.exports = {
        sampleRate: 0.7,
      },
    },
+    {
+      resolve: `gatsby-plugin-csp`,
+      options: {
+        disableOnDev: true,
+        reportOnly: false, // Changes header to Content-Security-Policy-Report-Only for csp testing purposes
+        mergeScriptHashes: true, // you can disable scripts sha256 hashes
+        mergeStyleHashes: true, // you can disable styles sha256 hashes
+        mergeDefaultDirectives: true,
+        directives: {
+          'script-src': '\'self\' www.google-analytics.com',
+          'style-src': '\'self\' \'unsafe-inline\'',
+          'img-src': '\'self\' data: www.google-analytics.com',
+          // you can add your directives or override defaults
+        },
+      },
+    },
  ],
 };
--- a/client/package-lock.json
+++ b/client/package-lock.json
@ -14,6 +14,7 @@
        "@trussworks/react-uswds": "^2.9.0",
        "@turf/bbox": "^6.5.0",
        "d3-ease": "^3.0.1",
+        "gatsby-plugin-csp": "^1.1.3",
        "gatsby-plugin-env-variables": "^2.2.0",
        "gatsby-plugin-robots-txt": "^1.7.0",
        "gatsby-plugin-sitemap": "^4.10.0",
@ -11697,6 +11698,15 @@
        "node": ">=12.13.0"
      }
    },
+    "node_modules/gatsby-plugin-csp": {
+      "version": "1.1.3",
+      "resolved": "https://registry.npmjs.org/gatsby-plugin-csp/-/gatsby-plugin-csp-1.1.3.tgz",
+      "integrity": "sha512-jTAdWpJXCAaqBXAmf07XVnsgHp7tdtC36XrOQUMRMrEOkEIpM+x+4X3Xma4YAmFbuGH+QKRGmbmCCRNhV//EDA==",
+      "dependencies": {
+        "@babel/runtime": "^7.0.0",
+        "lodash.flatten": "^4.4.0"
+      }
+    },
    "node_modules/gatsby-plugin-env-variables": {
      "version": "2.2.0",
      "resolved": "https://registry.npmjs.org/gatsby-plugin-env-variables/-/gatsby-plugin-env-variables-2.2.0.tgz",
@ -35666,6 +35676,15 @@
        "micromatch": "^4.0.4"
      }
    },
+    "gatsby-plugin-csp": {
+      "version": "1.1.3",
+      "resolved": "https://registry.npmjs.org/gatsby-plugin-csp/-/gatsby-plugin-csp-1.1.3.tgz",
+      "integrity": "sha512-jTAdWpJXCAaqBXAmf07XVnsgHp7tdtC36XrOQUMRMrEOkEIpM+x+4X3Xma4YAmFbuGH+QKRGmbmCCRNhV//EDA==",
+      "requires": {
+        "@babel/runtime": "^7.0.0",
+        "lodash.flatten": "^4.4.0"
+      }
+    },
    "gatsby-plugin-env-variables": {
      "version": "2.2.0",
      "resolved": "https://registry.npmjs.org/gatsby-plugin-env-variables/-/gatsby-plugin-env-variables-2.2.0.tgz",
--- a/client/package.json
+++ b/client/package.json
@ -79,6 +79,7 @@
    "@trussworks/react-uswds": "^2.9.0",
    "@turf/bbox": "^6.5.0",
    "d3-ease": "^3.0.1",
+    "gatsby-plugin-csp": "^1.1.3",
    "gatsby-plugin-env-variables": "^2.2.0",
    "gatsby-plugin-robots-txt": "^1.7.0",
    "gatsby-plugin-sitemap": "^4.10.0",