Skip to content
This repository has been archived by the owner on May 3, 2024. It is now read-only.

feat(SecurityHeaders): add Referrer-Policy override #97

Merged
merged 9 commits into from
Apr 21, 2020
Merged

feat(SecurityHeaders): add Referrer-Policy override #97

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
dddfc62
feat(SecurityHeaders): add Referrer-Policy override
JAdshead Apr 7, 2020
c6f8ff8
Merge branch 'master' into feat/referrer-policy-override
JAdshead Apr 8, 2020
f563908
docs(environment-variables): add link to mdn
JAdshead Apr 14, 2020
5d63697
Merge branch 'master' into feat/referrer-policy-override
JAdshead Apr 14, 2020
e52da15
Merge branch 'master' into feat/referrer-policy-override
JAdshead Apr 14, 2020
ca1c6e5
Merge branch 'master' into feat/referrer-policy-override
JAdshead Apr 15, 2020
a54c5d6
Merge branch 'master' into feat/referrer-policy-override
infoxicator Apr 17, 2020
3488831
Merge branch 'master' into feat/referrer-policy-override
JAdshead Apr 17, 2020
1edc46d
Merge branch 'master' into feat/referrer-policy-override
JAdshead Apr 21, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 13 additions & 0 deletions __tests__/server/config/env/runTime.spec.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -385,4 +385,17 @@ describe('runTime', () => {
expect(clientRootModuleName.defaultValue()).not.toBeDefined();
});
});

describe('ONE_REFERRER_POLICY_OVERRIDE', () => {
const referrerPolicyOverride = getEnvVarConfig('ONE_REFERRER_POLICY_OVERRIDE');

it('default value', () => {
expect(referrerPolicyOverride.defaultValue()).toEqual('same-origin');
});

it('validates approved policy', () => {
expect(() => referrerPolicyOverride.validate('strict-origin')).not.toThrow();
expect(() => referrerPolicyOverride.validate('unsafe-url')).toThrow();
});
});
});
13 changes: 13 additions & 0 deletions __tests__/server/middleware/addSecurityHeaders.spec.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,4 +36,17 @@ describe('addSecurityHeaders', () => {
);
expect(next).toBeCalled();
});

describe('Referrer-Policy', () => {
it('default can be overridden ', () => {
const req = { get: jest.fn(), headers: {} };
const res = { set: jest.fn((key, value) => value) };
process.env.ONE_REFERRER_POLICY_OVERRIDE = 'no-referrer';

addSecurityHeaders(req, res, jest.fn());
expect(res.set).toBeCalledWith('Referrer-Policy', 'no-referrer');

delete process.env.ONE_REFERRER_POLICY_OVERRIDE;
});
});
});
27 changes: 26 additions & 1 deletion docs/api/server/Environment-Variables.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@ One App can be configured via Environment Variables:
* [`HOLOCRON_SERVER_MAX_SIM_MODULES_FETCH`](#holocron_server_max_sim_modules_fetch)
* [`ONE_ENABLE_POST_TO_MODULE_ROUTES`](#one_enable_post_to_module_routes)
* [`ONE_MAP_POLLING_MAX`](#one_map_polling_max)
* [`ONE_MAP_POLLING_MIN`](#one_map_polling_min)
* [`ONE_REFERRER_POLICY_OVERRIDE`](#one_referrer_policy_override)

**Alphabetical Contents**
* [`HOLOCRON_MODULE_MAP_URL`](#holocron_module_map_url)
Expand All @@ -61,6 +61,7 @@ One App can be configured via Environment Variables:
* [`ONE_ENABLE_POST_TO_MODULE_ROUTES`](#one_enable_post_to_module_routes)
* [`ONE_MAP_POLLING_MAX`](#one_map_polling_max)
* [`ONE_MAP_POLLING_MIN`](#one_map_polling_min)
* [`ONE_REFERRER_POLICY_OVERRIDE`](#one_referrer_policy_override)

> ⚠️ = Required

Expand Down Expand Up @@ -555,6 +556,30 @@ ONE_MAP_POLLING_MIN=Number
ONE_MAP_POLLING_MIN=0
```

## `ONE_REFERRER_POLICY_OVERRIDE`

**Runs In**
* ✅ Production
* ✅ Development

Overrides the `Referrer-Policy` header.
JAdshead marked this conversation as resolved.
Show resolved Hide resolved

Must be one of: `no-referrer`, `no-referrer-when-downgrade`, `same-origin` or `strict-origin`.

**Shape**
```bash
ONE_REFERRER_POLICY_OVERRIDE=String
```
**Exampke**
```bash
ONE_REFERRER_POLICY_OVERRIDE=no-referrer
```

**Default Value**
```bash
ONE_REFERRER_POLICY_OVERRIDE=same-origin
```

**📘 More Information**
* Useful NodeJS Env Variables: [Node CLI Docs](https://nodejs.org/api/cli.html#cli_node_extra_ca_certs_file)
* [Development Tools Documentation](./Development-Tools.md)
Expand Down
16 changes: 16 additions & 0 deletions src/server/config/env/runTime.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -176,6 +176,22 @@ const runTime = [
validate: (value) => { if (!value) { throw new Error('The `ONE_CLIENT_ROOT_MODULE_NAME` environment variable must be defined.'); } },
defaultValue: () => (process.env.NODE_ENV === 'development' ? argv.rootModuleName : undefined),
},
{
name: 'ONE_REFERRER_POLICY_OVERRIDE',
defaultValue: () => 'same-origin',
validate: (value) => {
const approvedPolicies = [
'no-referrer',
'no-referrer-when-downgrade',
'same-origin',
'strict-origin',
];

if (!approvedPolicies.includes(value)) {
throw new Error(`${value} in not an approved policy. Please use: ${approvedPolicies.join(',')}.`);
}
},
},
];

runTime.forEach(preprocessEnvVar);
Expand Down
2 changes: 1 addition & 1 deletion src/server/middleware/addSecurityHeaders.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,6 @@ export default function addSecurityHeaders(req, res, next) {
res.set('X-Content-Type-Options', 'nosniff');
res.set('Strict-Transport-Security', 'max-age=15552000; includeSubDomains');
res.set('X-XSS-Protection', '1; mode=block');
res.set('Referrer-Policy', 'same-origin');
res.set('Referrer-Policy', process.env.ONE_REFERRER_POLICY_OVERRIDE || 'same-origin');
next();
}