extern/2FAuth
1
0
Fork 0
mirror of https://github.com/Bubka/2FAuth.git synced 2024-11-22 00:03:09 +01:00
Code Issues Packages Projects Releases Wiki Activity

Disable CSP

Browse Source
This commit is contained in:
Bubka 2024-11-18 12:57:12 +01:00
parent 3d7ba56d73
commit 9e6086984f
5 changed files with 10 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.env.example
View File

@ -279,7 +279,7 @@ PROXY_FOR_OUTGOING_REQUESTS=null
# This is mainly used as a defense against cross-site scripting (XSS) attacks, in which # This is mainly used as a defense against cross-site scripting (XSS) attacks, in which
# an attacker is able to inject malicious code into the web app # an attacker is able to inject malicious code into the web app
CONTENT_SECURITY_POLICY=true CONTENT_SECURITY_POLICY=false
# Leave the following configuration vars as is. # Leave the following configuration vars as is.

2
Dockerfile vendored
View File

@ -242,7 +242,7 @@ ENV \
# CSP helps to prevent or minimize the risk of certain types of security threats. # CSP helps to prevent or minimize the risk of certain types of security threats.
# This is mainly used as a defense against cross-site scripting (XSS) attacks, in which # This is mainly used as a defense against cross-site scripting (XSS) attacks, in which
# an attacker is able to inject malicious code into the web app # an attacker is able to inject malicious code into the web app
CONTENT_SECURITY_POLICY=true \ CONTENT_SECURITY_POLICY=false \
# Leave the following configuration vars as is. # Leave the following configuration vars as is.
# Unless you like to tinker and know what you're doing. # Unless you like to tinker and know what you're doing.
BROADCAST_DRIVER=log \ BROADCAST_DRIVER=log \

12
app/Http/Middleware/AddContentSecurityPolicyHeaders.php
View File

@ -16,13 +16,13 @@ class AddContentSecurityPolicyHeaders
*/ */
public function handle(Request $request, Closure $next) : Response public function handle(Request $request, Closure $next) : Response
{ {
if (config('2fauth.config.contentSecurityPolicy')) { // if (config('2fauth.config.contentSecurityPolicy')) {
Vite::useCspNonce(); // Vite::useCspNonce();
return $next($request)->withHeaders([ // return $next($request)->withHeaders([
'Content-Security-Policy' => "script-src 'nonce-" . Vite::cspNonce() . "';style-src 'self' 'unsafe-inline';connect-src 'self';img-src 'self' data:;object-src 'none';", // 'Content-Security-Policy' => "script-src 'nonce-" . Vite::cspNonce() . "';style-src 'self' 'unsafe-inline';connect-src 'self';img-src 'self' data:;object-src 'none';",
]); // ]);
} // }
return $next($request); return $next($request);
} }

2
config/2fauth.php
View File

@ -31,7 +31,7 @@
'proxyLogoutUrl' => env('PROXY_LOGOUT_URL', null), 'proxyLogoutUrl' => env('PROXY_LOGOUT_URL', null),
'appSubdirectory' => env('APP_SUBDIRECTORY', ''), 'appSubdirectory' => env('APP_SUBDIRECTORY', ''),
'authLogRetentionTime' => envUnlessEmpty('AUTHENTICATION_LOG_RETENTION', 365), 'authLogRetentionTime' => envUnlessEmpty('AUTHENTICATION_LOG_RETENTION', 365),
'contentSecurityPolicy' => envUnlessEmpty('CONTENT_SECURITY_POLICY', true), 'contentSecurityPolicy' => envUnlessEmpty('CONTENT_SECURITY_POLICY', false),
], ],
/* /*

2
docker/docker-compose.yml
View File

@ -139,7 +139,7 @@ services:
# CSP helps to prevent or minimize the risk of certain types of security threats. # CSP helps to prevent or minimize the risk of certain types of security threats.
# This is mainly used as a defense against cross-site scripting (XSS) attacks, in which # This is mainly used as a defense against cross-site scripting (XSS) attacks, in which
# an attacker is able to inject malicious code into the web app # an attacker is able to inject malicious code into the web app
- CONTENT_SECURITY_POLICY=true - CONTENT_SECURITY_POLICY=false
# Leave the following configuration vars as is. # Leave the following configuration vars as is.
# Unless you like to tinker and know what you're doing. # Unless you like to tinker and know what you're doing.
- BROADCAST_DRIVER=log - BROADCAST_DRIVER=log