Improve security: HSTS, Force SSL, CSP

app/assets/javascripts/application.js

@@ -20,5 +20,5 @@
 //= require codemirror/modes/css
 //= require codemirror/modes/javascript
 //= require codemirror/modes/htmlmixed
-//= require translations
+//= require mathjax-config
-//= require_tree .
+//= require init

app/assets/javascripts/init.coffee

@@ -1,6 +1,4 @@
-# Place all the behaviors and hooks related to the matching controller here.
+window.App ||= {}
-# All this logic will automatically be available in application.js.
-# You can use CoffeeScript in this file: http://coffeescript.org/
 
 cm = null
 
@@ -13,8 +11,12 @@ loadCodeMirror = ->
       mode: "text/html"
     })
 
-$(document).on "turbolinks:load", loadCodeMirror
+App.init = ->
+  MathJax.Hub.Queue(["Typeset",MathJax.Hub]);
+  loadCodeMirror();
 
+$(document).on "turbolinks:load", ->
+  App.init()
 
 $(document).on "click", '#translationNav a[href="#preview"]', ->
   $('#preview .problem-content').html(cm.getValue())

app/assets/javascripts/mathjax-config.js

@@ -0,0 +1,9 @@
+window.MathJax = {
+    jax: ["input/TeX", "output/HTML-CSS"],
+    tex2jax: {
+        inlineMath: [ ["$","$"], ["\\(","\\)"] ],
+        displayMath: [ ["$$","$$"], ["\\[","\\]"] ],
+        processEscapes: true
+    },
+    "HTML-CSS": { availableFonts: ["TeX"] }
+};

app/assets/javascripts/mathjax.js.coffee

@@ -1,2 +0,0 @@
-$(document).on 'turbolinks:load', ->
-  MathJax.Hub.Queue(["Typeset",MathJax.Hub]);

app/views/layouts/application.html.erb

@@ -5,18 +5,7 @@
   <%= favicon_link_tag %>
   <%= stylesheet_link_tag    'application', media: 'all', 'data-turbolinks-track' => true %>
   <%= javascript_include_tag 'application', 'data-turbolinks-track' => true %>
-  <script type="text/x-mathjax-config">
+  <%= javascript_include_tag 'https://cdnjs.cloudflare.com/ajax/libs/mathjax/2.7.5/MathJax.js?config=TeX-AMS_HTML-full,Safe', 'data-turbolinks-track' => true %>
-    MathJax.Hub.Config({
-      jax: ["input/TeX", "output/HTML-CSS"],
-      tex2jax: {
-         inlineMath: [ ["$","$"], ["\\(","\\)"] ],
-         displayMath: [ ["$$","$$"], ["\\[","\\]"] ],
-         processEscapes: true
-      },
-      "HTML-CSS": { availableFonts: ["TeX"] }
-    });
-  </script>
-  <script src='https://cdnjs.cloudflare.com/ajax/libs/mathjax/2.7.5/MathJax.js?config=TeX-AMS_HTML' async></script>
   <%= csrf_meta_tags %>
 </head>
 <body>

config/application.rb

@@ -16,6 +16,10 @@ module Projekteuler
     # -- all .rb files in that directory are automatically loaded after loading
     # the framework and any gems in your application.
 
+    config.action_dispatch.default_headers = {
+        'X-Frame-Options' => 'DENY'
+    }
+
     # Set Time.zone default to the specified zone and make Active Record auto-convert to this zone.
     # Run "rake -D time" for a list of tasks for finding time zone names. Default is UTC.
     # config.time_zone = 'Central Time (US & Canada)'

config/environments/production.rb

@@ -47,7 +47,7 @@ Rails.application.configure do
   # config.action_cable.allowed_request_origins = [ 'http://example.com', /http:\/\/example.*/ ]
 
   # Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies.
-  # config.force_ssl = true
+  config.force_ssl = true
 
   # Use the lowest log level to ensure availability of diagnostic information
   # when problems arise.

config/initializers/content_security_policy.rb

@@ -4,17 +4,18 @@
 # For further information see the following documentation
 # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
 
-# Rails.application.config.content_security_policy do |policy|
+Rails.application.config.content_security_policy do |policy|
-#   policy.default_src :self, :https
+  policy.default_src :none
-#   policy.font_src    :self, :https, :data
+  policy.font_src    :self, 'https://cdnjs.cloudflare.com'
-#   policy.img_src     :self, :https, :data
+  policy.img_src     :self, 'https://cdnjs.cloudflare.com', 'https://projecteuler.net'
-#   policy.object_src  :none
+  policy.object_src  :none
-#   policy.script_src  :self, :https
+  policy.script_src  :self, 'https://cdnjs.cloudflare.com'
-#   policy.style_src   :self, :https
+  policy.style_src   :self, :unsafe_inline
+  policy.connect_src :self
 
-#   # Specify URI for violation reports
+  # Specify URI for violation reports
-#   # policy.report_uri "/csp-violation-report-endpoint"
+  # policy.report_uri "/csp-violation-report-endpoint"
-# end
+end
 
 # If you are using UJS then enable automatic nonce generation
 # Rails.application.config.content_security_policy_nonce_generator = -> request { SecureRandom.base64(16) }