Mercurial > repos > other > Puppet
changeset 410:575764c36e16
Setup CSP Nonce on the server
| author | IBBoard <dev@ibboard.co.uk> |
|---|---|
| date | Sat, 08 Oct 2022 12:08:50 +0100 |
| parents | 621e78abf82c |
| children | 83f2e944a43f |
| files | manifests/templates.pp modules/website/manifests/init.pp |
| diffstat | 2 files changed, 14 insertions(+), 5 deletions(-) [+] |
line wrap: on
line diff
--- a/manifests/templates.pp Wed May 25 20:54:03 2022 +0100 +++ b/manifests/templates.pp Sat Oct 08 12:08:50 2022 +0100 @@ -579,6 +579,10 @@ target => '/usr/share/zoneinfo/Europe/London', } + package { 'mod_cspnonce': + ensure => "installed", + } + # Common modules used by multiple sites (mod_auth_basic is safe because we HTTPS all the things) $mods = [ 'auth_basic', @@ -586,7 +590,8 @@ 'authn_file', 'authz_user', 'deflate', - 'xsendfile' + 'xsendfile', + 'cspnonce' ] apache::mod { $mods:;
--- a/modules/website/manifests/init.pp Wed May 25 20:54:03 2022 +0100 +++ b/modules/website/manifests/init.pp Sat Oct 08 12:08:50 2022 +0100 @@ -22,13 +22,17 @@ $filterfragment = "Include conf.custom/filter.conf" $cmsfragment = "Include conf.extra/cms_rewrites.conf" - $csp_base = {"frame-ancestors" => "'none'", "base-uri" => "'none'"} + $csp_base = { + "frame-ancestors" => "'none'", + "base-uri" => "'none'", + "object-src" => "'none'", + } $csp_report_base = { "default-src" => "'none'", "img-src" => "'self'", - "script-src" => "'self'", - "style-src" => "'self'", - "font-src" => "'self'" + "script-src" => "'self' 'nonce-%{CSP_NONCE}e'", + "style-src" => "'self' 'nonce-%{CSP_NONCE}e'", + "font-src" => "'self' 'nonce-%{CSP_NONCE}e'" } if $osfamily == 'RedHat' {