Added report-to header to CSP (#1712)

* Added report-to header to CSP * Formatter * Fixed headers bad positioning + fix tests --------- Co-authored-by: William B <[email protected]>
cds-snc · Nov 8, 2023 · 426ef4c · 426ef4c
1 parent 3a87e19
commit 426ef4c
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 3 deletions.
diff --git a/app/__init__.py b/app/__init__.py
@@ -647,10 +647,13 @@ def useful_headers_after_request(response):
     response.headers.add("Upgrade-Insecure-Requests", "1")
     nonce = safe_get_request_nonce()
     asset_domain = current_app.config["ASSET_DOMAIN"]
+    response.headers.add(
+        "Report-To",
+        """{"group":"default","max_age":1800,"endpoints":[{"url":"https://csp-report-to.security.cdssandbox.xyz/report"}]""",
+    )
     response.headers.add(
         "Content-Security-Policy",
         (
-            "report-uri https://csp-report-to.security.cdssandbox.xyz/report;"
             f"default-src 'self' {asset_domain} 'unsafe-inline';"
             f"script-src 'self' {asset_domain} *.google-analytics.com *.googletagmanager.com https://tagmanager.google.com https://js-agent.newrelic.com *.siteintercept.qualtrics.com https://siteintercept.qualtrics.com 'nonce-{nonce}' 'unsafe-eval' data:;"
             f"script-src-elem 'self' *.siteintercept.qualtrics.com https://siteintercept.qualtrics.com 'nonce-{nonce}' 'unsafe-eval' data:;"
@@ -662,6 +665,8 @@ def useful_headers_after_request(response):
             "frame-ancestors 'self';"
             "form-action 'self' *.siteintercept.qualtrics.com https://siteintercept.qualtrics.com;"
             "frame-src 'self' www.googletagmanager.com https://cdssnc.qualtrics.com/;"
+            "report-uri https://csp-report-to.security.cdssandbox.xyz/report;"
+            "report-to default;"
         ),
     )
     if "Cache-Control" in response.headers:

diff --git a/tests/app/main/views/test_headers.py b/tests/app/main/views/test_headers.py
@@ -61,8 +61,11 @@ def test_owasp_useful_headers_set(client, mocker, mock_get_service_and_organisat
     assert response.headers["X-Frame-Options"] == "deny"
     assert response.headers["X-Content-Type-Options"] == "nosniff"
     assert response.headers["X-XSS-Protection"] == "1; mode=block"
+    assert (
+        response.headers["Report-To"]
+        == """{"group":"default","max_age":1800,"endpoints":[{"url":"https://csp-report-to.security.cdssandbox.xyz/report"}]"""
+    )
     assert response.headers["Content-Security-Policy"] == (
-        "report-uri https://csp-report-to.security.cdssandbox.xyz/report;"
         "default-src 'self' static.example.com 'unsafe-inline';"
         f"script-src 'self' static.example.com *.google-analytics.com *.googletagmanager.com https://tagmanager.google.com https://js-agent.newrelic.com *.siteintercept.qualtrics.com https://siteintercept.qualtrics.com 'nonce-{nonce}' 'unsafe-eval' data:;"
         f"script-src-elem 'self' *.siteintercept.qualtrics.com https://siteintercept.qualtrics.com 'nonce-{nonce}' 'unsafe-eval' data:;"
@@ -74,6 +77,8 @@ def test_owasp_useful_headers_set(client, mocker, mock_get_service_and_organisat
         "frame-ancestors 'self';"
         "form-action 'self' *.siteintercept.qualtrics.com https://siteintercept.qualtrics.com;"
         "frame-src 'self' www.googletagmanager.com https://cdssnc.qualtrics.com/;"
+        "report-uri https://csp-report-to.security.cdssandbox.xyz/report;"
+        "report-to default;"
     )
 
 
@@ -125,7 +130,6 @@ def test_headers_non_ascii_characters_are_replaced(
 
     assert response.status_code == 200
     assert response.headers["Content-Security-Policy"] == (
-        "report-uri https://csp-report-to.security.cdssandbox.xyz/report;"
         "default-src 'self' static.example.com 'unsafe-inline';"
         f"script-src 'self' static.example.com *.google-analytics.com *.googletagmanager.com https://tagmanager.google.com https://js-agent.newrelic.com *.siteintercept.qualtrics.com https://siteintercept.qualtrics.com 'nonce-{nonce}' 'unsafe-eval' data:;"
         f"script-src-elem 'self' *.siteintercept.qualtrics.com https://siteintercept.qualtrics.com 'nonce-{nonce}' 'unsafe-eval' data:;"
@@ -137,4 +141,6 @@ def test_headers_non_ascii_characters_are_replaced(
         "frame-ancestors 'self';"
         "form-action 'self' *.siteintercept.qualtrics.com https://siteintercept.qualtrics.com;"
         "frame-src 'self' www.googletagmanager.com https://cdssnc.qualtrics.com/;"
+        "report-uri https://csp-report-to.security.cdssandbox.xyz/report;"
+        "report-to default;"
     )