add csp draft

packages/backend/src/csp.rs

@@ -0,0 +1,16 @@
+use axum::{body::Body, extract::Request, http::HeaderValue, middleware::Next, response::Response};
+
+const CUSTOM_HEADER_NAME: &str = "Content-Security-Policy";
+const CUSTOM_HEADER_VALUE: &str = "default-src 'self'; script-src 'report-sample' 'self'; style-src 'report-sample' 'self'; object-src 'none'; base-uri 'self'; connect-src 'self' data:; font-src 'self'; frame-src 'self'; img-src 'self'; manifest-src 'self'; media-src 'self'; worker-src 'none';";
+
+lazy_static! {
+    static ref HEADER_VALUE: HeaderValue = HeaderValue::from_static(CUSTOM_HEADER_VALUE);
+}
+
+pub async fn add_csp_header(request: Request<Body>, next: Next) -> Response {
+    let mut response = next.run(request).await;
+    response
+        .headers_mut()
+        .append(CUSTOM_HEADER_NAME, HEADER_VALUE.clone());
+    response
+}

packages/backend/src/main.rs

@@ -1,7 +1,11 @@
 use std::{collections::HashMap, sync::Arc};
 
 use axum::{
+    body::Body,
     extract::{DefaultBodyLimit, Request},
+    http::HeaderValue,
+    middleware::{self, Next},
+    response::Response,
     routing::{delete, get, post},
     Router, ServiceExt,
 };
@@ -19,6 +23,7 @@ use tower_http::{
 extern crate lazy_static;
 
 mod config;
+mod csp;
 mod health;
 mod lock;
 mod note;
@@ -55,6 +60,8 @@ async fn main() {
     let app = Router::new()
         .nest("/api", api_routes)
         .fallback_service(serve_dir)
+        // Disabled for now, as svelte inlines scripts
+        // .layer(middleware::from_fn(csp::add_csp_header))
         .layer(DefaultBodyLimit::max(*config::LIMIT))
         .layer(
             CompressionLayer::new()