Improve security: HSTS, Force SSL, CSP

2025-12-10 08:46:41 +01:00 · 2019-03-17 10:55:09 +01:00 · 2019-03-17 10:55:09 +01:00 · a5dc6c2532
commit a5dc6c2532
parent 51f985830a
8 changed files with 34 additions and 31 deletions
--- a/app/assets/javascripts/application.js
+++ b/app/assets/javascripts/application.js
@ -20,5 +20,5 @@
 //= require codemirror/modes/css
 //= require codemirror/modes/javascript
 //= require codemirror/modes/htmlmixed
-//= require translations
-//= require_tree .
+//= require mathjax-config
+//= require init
--- a/app/assets/javascripts/translations.js.coffee
+++ b/app/assets/javascripts/translations.js.coffee
@ -1,6 +1,4 @@
-# Place all the behaviors and hooks related to the matching controller here.
-# All this logic will automatically be available in application.js.
-# You can use CoffeeScript in this file: http://coffeescript.org/
+window.App ||= {}

 cm = null

@ -13,8 +11,12 @@ loadCodeMirror = ->
      mode: "text/html"
    })

-$(document).on "turbolinks:load", loadCodeMirror
+App.init = ->
+  MathJax.Hub.Queue(["Typeset",MathJax.Hub]);
+  loadCodeMirror();

+$(document).on "turbolinks:load", ->
+  App.init()

 $(document).on "click", '#translationNav a[href="#preview"]', ->
  $('#preview .problem-content').html(cm.getValue())
--- a/app/assets/javascripts/mathjax-config.js
+++ b/app/assets/javascripts/mathjax-config.js
@ -0,0 +1,9 @@
+window.MathJax = {
+    jax: ["input/TeX", "output/HTML-CSS"],
+    tex2jax: {
+        inlineMath: [ ["$","$"], ["\\(","\\)"] ],
+        displayMath: [ ["$$","$$"], ["\\[","\\]"] ],
+        processEscapes: true
+    },
+    "HTML-CSS": { availableFonts: ["TeX"] }
+};
--- a/app/assets/javascripts/mathjax.js.coffee
+++ b/app/assets/javascripts/mathjax.js.coffee
@ -1,2 +0,0 @@
-$(document).on 'turbolinks:load', ->
-  MathJax.Hub.Queue(["Typeset",MathJax.Hub]);
--- a/app/views/layouts/application.html.erb
+++ b/app/views/layouts/application.html.erb
@ -5,18 +5,7 @@
  <%= favicon_link_tag %>
  <%= stylesheet_link_tag    'application', media: 'all', 'data-turbolinks-track' => true %>
  <%= javascript_include_tag 'application', 'data-turbolinks-track' => true %>
-  <script type="text/x-mathjax-config">
-    MathJax.Hub.Config({
-      jax: ["input/TeX", "output/HTML-CSS"],
-      tex2jax: {
-         inlineMath: [ ["$","$"], ["\\(","\\)"] ],
-         displayMath: [ ["$$","$$"], ["\\[","\\]"] ],
-         processEscapes: true
-      },
-      "HTML-CSS": { availableFonts: ["TeX"] }
-    });
-  </script>
-  <script src='https://cdnjs.cloudflare.com/ajax/libs/mathjax/2.7.5/MathJax.js?config=TeX-AMS_HTML' async></script>
+  <%= javascript_include_tag 'https://cdnjs.cloudflare.com/ajax/libs/mathjax/2.7.5/MathJax.js?config=TeX-AMS_HTML-full,Safe', 'data-turbolinks-track' => true %>
  <%= csrf_meta_tags %>
 </head>
 <body>
--- a/config/application.rb
+++ b/config/application.rb
@ -16,6 +16,10 @@ module Projekteuler
    # -- all .rb files in that directory are automatically loaded after loading
    # the framework and any gems in your application.

+    config.action_dispatch.default_headers = {
+        'X-Frame-Options' => 'DENY'
+    }
+
    # Set Time.zone default to the specified zone and make Active Record auto-convert to this zone.
    # Run "rake -D time" for a list of tasks for finding time zone names. Default is UTC.
    # config.time_zone = 'Central Time (US & Canada)'
--- a/config/environments/production.rb
+++ b/config/environments/production.rb
@ -47,7 +47,7 @@ Rails.application.configure do
  # config.action_cable.allowed_request_origins = [ 'http://example.com', /http:\/\/example.*/ ]

  # Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies.
-  # config.force_ssl = true
+  config.force_ssl = true

  # Use the lowest log level to ensure availability of diagnostic information
  # when problems arise.
--- a/config/initializers/content_security_policy.rb
+++ b/config/initializers/content_security_policy.rb
@ -4,17 +4,18 @@
 # For further information see the following documentation
 # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy

-# Rails.application.config.content_security_policy do |policy|
-#   policy.default_src :self, :https
-#   policy.font_src    :self, :https, :data
-#   policy.img_src     :self, :https, :data
-#   policy.object_src  :none
-#   policy.script_src  :self, :https
-#   policy.style_src   :self, :https
+Rails.application.config.content_security_policy do |policy|
+  policy.default_src :none
+  policy.font_src    :self, 'https://cdnjs.cloudflare.com'
+  policy.img_src     :self, 'https://cdnjs.cloudflare.com', 'https://projecteuler.net'
+  policy.object_src  :none
+  policy.script_src  :self, 'https://cdnjs.cloudflare.com'
+  policy.style_src   :self, :unsafe_inline
+  policy.connect_src :self

-#   # Specify URI for violation reports
-#   # policy.report_uri "/csp-violation-report-endpoint"
-# end
+  # Specify URI for violation reports
+  # policy.report_uri "/csp-violation-report-endpoint"
+end

 # If you are using UJS then enable automatic nonce generation
 # Rails.application.config.content_security_policy_nonce_generator = -> request { SecureRandom.base64(16) }