Fix staging post-migration ZAP findings#4115
Closed
mrkeshav-05 wants to merge 2 commits intoOWASP:mainfrom
Closed
Conversation
Contributor
Summary by CodeRabbit
WalkthroughAdded route-level HTTP security headers (CSP and related) via Next.js config; adjusted Terraform S3 object lock dependency to reference a global bucket versioning resource instead of per-item references. Changes
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Suggested labels
Suggested reviewers
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
1 issue found across 2 files
Confidence score: 4/5
- Only issue is a dev-environment CSP restriction, so overall risk is low and this PR should be safe to merge
frontend/next.config.tsapplies a strict CSP withoutunsafe-evalor WS allowances, which can break localnext devtooling and HMR connections- Pay close attention to
frontend/next.config.ts- CSP may block eval-based tooling and HMR in development.
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="frontend/next.config.ts">
<violation number="1" location="frontend/next.config.ts:68">
P2: Global CSP headers are applied in all environments, but the CSP omits 'unsafe-eval' and WS allowances required for Next.js dev/HMR. This can break local `next dev` by blocking eval-based tooling and HMR connections. Consider skipping these headers in local/dev or adding dev-only allowances.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
🧹 Nitpick comments (1)
frontend/next.config.ts (1)
12-12: Consider migrating away from'unsafe-inline'for scripts in the future.While
'unsafe-inline'is commonly needed for Next.js applications and is acceptable here for restoring the previous security posture, using CSP nonces via Next.js middleware would provide stronger protection against XSS. This can be deferred since the current configuration matches the pre-migration baseline.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@frontend/next.config.ts` at line 12, The CSP currently includes "script-src 'self' 'unsafe-inline' ..." in frontend/next.config.ts; remove reliance on 'unsafe-inline' by implementing per-request CSP nonces via Next.js middleware: generate a secure random nonce in the middleware, add it to the response CSP header (replace 'unsafe-inline' with 'nonce-{nonce}' in the "script-src" directive), and expose the same nonce to pages (via a response header or request context) so scripts and <Script> tags can include nonce attributes; update any inline scripts to use the generated nonce and ensure the middleware logic that sets the CSP header and supplies the nonce is invoked for all relevant routes.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Nitpick comments:
In `@frontend/next.config.ts`:
- Line 12: The CSP currently includes "script-src 'self' 'unsafe-inline' ..." in
frontend/next.config.ts; remove reliance on 'unsafe-inline' by implementing
per-request CSP nonces via Next.js middleware: generate a secure random nonce in
the middleware, add it to the response CSP header (replace 'unsafe-inline' with
'nonce-{nonce}' in the "script-src" directive), and expose the same nonce to
pages (via a response header or request context) so scripts and <Script> tags
can include nonce attributes; update any inline scripts to use the generated
nonce and ensure the middleware logic that sets the CSP header and supplies the
nonce is invoked for all relevant routes.
|
Contributor
There was a problem hiding this comment.
🧹 Nitpick comments (1)
frontend/next.config.ts (1)
12-13: Harden CSP by phasing outunsafe-inlinefor scripts/styles.Line 12 and Line 13 currently allow inline execution, which reduces CSP’s XSS protection. Prefer nonce/hash-based CSP for inline code/styles where feasible.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@frontend/next.config.ts` around lines 12 - 13, The CSP currently allows unsafe inline for scripts and styles in the Next.js config entries "script-src" and "style-src"; remove 'unsafe-inline' from both directives in next.config.ts and implement nonce- or hash-based CSP instead—generate a per-request nonce in your server (e.g., middleware or getServerSideProps), inject that nonce into the CSP header and add the same nonce attribute to any legitimate inline <script> or <style> usages (or convert inline code to external files and include their hashes in the CSP), and update places that relied on inline execution to use the nonce/hash so the CSP no longer requires 'unsafe-inline'.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Nitpick comments:
In `@frontend/next.config.ts`:
- Around line 12-13: The CSP currently allows unsafe inline for scripts and
styles in the Next.js config entries "script-src" and "style-src"; remove
'unsafe-inline' from both directives in next.config.ts and implement nonce- or
hash-based CSP instead—generate a per-request nonce in your server (e.g.,
middleware or getServerSideProps), inject that nonce into the CSP header and add
the same nonce attribute to any legitimate inline <script> or <style> usages (or
convert inline code to external files and include their hashes in the CSP), and
update places that relied on inline execution to use the nonce/hash so the CSP
no longer requires 'unsafe-inline'.
Collaborator
|
Closing in favor of #4137 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Proposed change
After the Zappa → Terraform/ECS migration, the ZAP baseline scan at
https://nest.owasp.devfails with multiple WARN-NEW findings. The root cause is that the security headers previously served by the nginx reverse proxy (proxy/headers.conf) were not migrated to the new infrastructure.This PR restores those security headers by adding them at the Next.js application layer via
next.config.ts, and fixes a Terraform syntax error in the state management configuration.Resolves #4090
Checklist
make check-testlocally: all warnings addressed, tests passed