Merge pull request #17 from echohello-dev/feature/plausible-fix-csp

johnnyhuy · web-flow · commit fdf6a33bc4fd · 2024-07-14T12:28:34.000+10:00
chore: Update security settings and environment variables
diff --git a/.env.example b/.env.example
@@ -2,6 +2,7 @@
 GITHUB_TOKEN=
 
 # Backstage
+APP_BASE_URL=http://backstage.localhost
 PLAUSIBLE_DATA_DOMAIN=backstage.localhost
 PLAUSIBLE_SOURCE_URL=http://plausible.localhost/js/script.js
 
diff --git a/Makefile b/Makefile
@@ -50,6 +50,8 @@ exec:
 
 plausible-up: init
 	@echo "Plausible is running at http://localhost:8000 or http://plausible.localhost"
+	@echo "Backstage is running at http://localhost:7007 or http://backstage.localhost"
+	@echo "Traefik is running at http://localhost:8080 or http://traefik.localhost"
 	docker compose -f compose.yaml -f compose.plausible.yaml up -d
 
 plausible-down:
diff --git a/app-config.production.yaml b/app-config.production.yaml
@@ -1,18 +1,21 @@
 app:
-  # Should be the same as backend.baseUrl when using the `app-backend` plugin.
-  baseUrl: http://localhost:7007
+  baseUrl: ${APP_BASE_URL}
 
 backend:
-  # Note that the baseUrl should be the URL that the browser and other clients
-  # should use when communicating with the backend, i.e. it needs to be
-  # reachable not just from within the backend host, but from all of your
-  # callers. When its value is "http://localhost:7007", it's strictly private
-  # and can't be reached by others.
-  baseUrl: http://localhost:7007
-  # The listener can also be expressed as a single <host>:<port> string. In this case we bind to
-  # all interfaces, the most permissive setting. The right value depends on your specific deployment.
+  baseUrl: ${APP_BASE_URL}
   listen: ':7007'
 
+  csp:
+    connect-src: ["'self'", 'http:', 'https:']
+    script-src:
+      ["'self'", 'http:', 'https:', "'unsafe-eval'", '${APP_BASE_URL}']
+    img-src: ["'self'", 'http:', 'https:', 'data:']
+
+  cors:
+    origin: ${APP_BASE_URL}
+    methods: [GET, HEAD, PATCH, POST, PUT, DELETE]
+    credentials: true
+
 auth:
   providers:
     guest:
diff --git a/app-config.yaml b/app-config.yaml
@@ -19,7 +19,7 @@ backend:
     # host: 127.0.0.1
   csp:
     connect-src: ["'self'", 'http:', 'https:']
-    script-src: ["'self'", 'http:', 'https:']
+    script-src: ["'self'", 'http:', 'https:', "'unsafe-eval'"]
     # Content-Security-Policy directives follow the Helmet format: https://helmetjs.github.io/#reference
     # Default Helmet Content-Security-Policy values can be removed by setting the key to false
   cors:
