#110 - add a CSP to REST response

apihub-root/index.html

@@ -441,7 +441,7 @@ <h2>v0.10.4 (Pending) Release Notes 2022-08-??</h2>
             <li>Quick shipment/create|update out-of-order processing fixec (<a href="https://github.com/PharmaLedger-IMI/fgt-workspace/issues/91">#91</a>).
             <li>OpenDSU technology stack upgraded to <a href="https://github.com/PrivateSky/psk-release/tree/882f9fae2af5076eb73265d6602b64c13f445e43">psk-release 2022-July-28</a>.
                 (Fixes related to heart beating for long polling <a href="https://github.com/PharmaLedger-IMI/fgt-workspace/issues/90">#90</a>, and <a href="https://github.com/PharmaLedger-IMI/fgt-workspace/issues/99">#99</a>).</li>
-            <li>Vulnerability scan issues fixed (master issue <a href="https://github.com/PharmaLedger-IMI/fgt-workspace/issues/94">#94</a>: <a href="https://github.com/PharmaLedger-IMI/fgt-workspace/issues/95">#95</a> npm-debug-2.6.9 vulnerability override, <a href="https://github.com/PharmaLedger-IMI/fgt-workspace/issues/103">#103</a> xmldom legal vulnerability removed).</li>
+            <li>Vulnerability scan issues fixed (master issue <a href="https://github.com/PharmaLedger-IMI/fgt-workspace/issues/94">#94</a>: <a href="https://github.com/PharmaLedger-IMI/fgt-workspace/issues/95">#95</a> npm-debug-2.6.9 vulnerability override, <a href="https://github.com/PharmaLedger-IMI/fgt-workspace/issues/103">#103</a> xmldom legal vulnerability removed, <a href="https://github.com/PharmaLedger-IMI/fgt-workspace/issues/110">#110</a> Content-Security-Policy header added in REST services ).</li>
             <li>BC network has been renamed from qbn-net to dsu-bc-net (<a href="https://github.com/PharmaLedger-IMI/fgt-workspace/issues/30#issuecomment-1191681695">#30#issuecomment-1191681695</a>).</li>
         </ul>
 
@@ -773,7 +773,7 @@ <h2>Release notes 2021-03-26</h2>
         <br>
         This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No 853992
         <br>&nbsp;<br>
-        v<!-- VERSION_START -->0.10.3-g2bb7c831<!-- VERSION_END --> &copy;&nbsp;2021 <a href="http://pharmaledger.eu">Pharmaledger.eu</a> - All Rights Reserved.
+        v<!-- VERSION_START -->0.10.4-g34ae845c<!-- VERSION_END --> &copy;&nbsp;2021 <a href="http://pharmaledger.eu">Pharmaledger.eu</a> - All Rights Reserved.
     </footer>
 
     <script type="application/javascript">

fgt-api/Api.js

@@ -1,6 +1,7 @@
 const {log} = require('./utils');
 const {requireAuth} = require("./middleware");
 const {BadRequest, NotImplemented} = require("./utils/errorHandler");
+const {CSP_HEADER, CSP_DEFAULT_POLICY} = require("./utils/csp");
 
 const BASE_PATH = '/traceability';
 const ALL_SUFFIX = "All";
@@ -176,6 +177,7 @@ class Api {
     }
 
     _sendResponse(res, code, response){
+        res.setHeader(CSP_HEADER, CSP_DEFAULT_POLICY); // #110
         res.statusCode = code;
         if (response)
             res.write(JSON.stringify(response));

fgt-api/middleware.js

@@ -1,9 +1,11 @@
 const {Unauthorized} = require("./utils/errorHandler");
 const {authenticate, decodeBase64} = require("./utils/basicAuth");
+const {CSP_HEADER, CSP_DEFAULT_POLICY} = require("./utils/csp");
 
 const requireAuth = (req, res, next) => {
     const unauthorized = function (msg) {
         const err = new Unauthorized();
+        res.setHeader(CSP_HEADER, CSP_DEFAULT_POLICY); // #110
         res.statusCode = err.statusCode;
         res.write(JSON.stringify({
             status: err.statusCode,

fgt-api/utils/csp.js

@@ -0,0 +1,11 @@
+// #110
+const CSP_HEADER = "Content-Security-Policy";
+const CSP_DEFAULT_POLICY = "self";
+
+// should be a function to set the header on a response, but, this is left as simple
+// constants hoping that the security scan tool can read these, instead of duplicating the values.
+
+module.exports = {
+    CSP_HEADER,
+    CSP_DEFAULT_POLICY
+}