Skip to content

Commit

Permalink
blogs: add CSP report header to blog sites
Browse files Browse the repository at this point in the history 
Ref gh-54
Closes gh-72
  • Loading branch information
@timmywil
timmywil authored Dec 15, 2024
1 parent 6b17a53 commit 7019e41
Show file tree
Hide file tree
Showing 4 changed files with 12 additions and 1 deletion.
1 change: 1 addition & 0 deletions hieradata/environments/production/roles/blogs.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ profile::certbot::certificates:

profile::wordpress::blogs::admin_email: [email protected]
profile::wordpress::blogs::wordpress_version: ~
profile::wordpress::blogs::csp_header: "default-src 'self'; script-src 'self' code.jquery.com; report-uri https://csp-report-api.openjs-foundation.workers.dev/; report-to csp-endpoint"
profile::wordpress::blogs::sites:
jquery:
host: blog.jquery.com
Expand Down
1 change: 1 addition & 0 deletions modules/profile/manifests/wordpress/base.pp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
String[1] $innodb_buffer_pool_size = lookup('profile::wordpress::base::mariadb_innodb_buffer_pool_size', {default_value => '512M'}),
String[1] $wordpress_cli_version = lookup('profile::wordpress::base::wordpress_cli_version'),
Optional[String[1]] $default_site_cert = lookup('profile::wordpress::base::default_site_cert', {default_value => undef}),
Optional[String[1]] $csp_header = undef,
) {
file { '/srv/mariadb':
ensure => directory,
Expand Down
5 changes: 4 additions & 1 deletion modules/profile/manifests/wordpress/blogs.pp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,8 +5,11 @@
String[1] $db_password_seed = lookup('profile::wordpress::blogs::db_password_seed'),
Stdlib::Email $admin_email = lookup('profile::wordpress::blogs::admin_email'),
String[1] $admin_password = lookup('profile::wordpress::blogs::admin_password'),
String[1] $csp_header = lookup('profile::wordpress::blogs::csp_header'),
) {
include profile::wordpress::base
class { 'profile::wordpress::base':
csp_header => $csp_header,
}

git::clone { 'blog.jquery.com-theme':
path => '/srv/wordpress/blog.jquery.com-theme',
Expand Down
6 changes: 6 additions & 0 deletions modules/profile/templates/wordpress/base/default-tls.nginx.erb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,12 @@ server {

server_tokens off;

<%- if @csp_header -%>
# Add Content Security Policy headers
add_header Reporting-Endpoints "csp-endpoint='https://csp-report-api.openjs-foundation.workers.dev/'";
add_header Content-Security-Policy-Report-Only "<%= @csp_header %>" always;
<%- end -%>

location /.well-known/acme-challenge {
root /var/www/letsencrypt/;
}
Expand Down

0 comments on commit 7019e41

Please sign in to comment.