From 22a665e535a2d91903cf863a415ae0093b4facb0 Mon Sep 17 00:00:00 2001
From: Manuel Raynaud <manu@raynaud.io>
Date: Thu, 27 Feb 2025 16:23:04 +0100
Subject: [PATCH] =?UTF-8?q?=F0=9F=94=92=EF=B8=8F(nginx)=20manage=20Content?=
 =?UTF-8?q?-Security-Policy=20in=20nginx=20config?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The media route is managed by nginx. On this route we want to add the
Content-Security-Header to forbid fetching any resources.
See : https://content-security-policy.com/
---
 docker/files/etc/nginx/conf.d/default.conf | 2 ++
 src/helm/impress/Chart.yaml                | 2 +-
 src/helm/impress/values.yaml               | 2 ++
 3 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/docker/files/etc/nginx/conf.d/default.conf b/docker/files/etc/nginx/conf.d/default.conf
index e5967e33..66bdada1 100644
--- a/docker/files/etc/nginx/conf.d/default.conf
+++ b/docker/files/etc/nginx/conf.d/default.conf
@@ -68,6 +68,8 @@ server {
         # Get resource from Minio
         proxy_pass http://minio:9000/impress-media-storage/;
         proxy_set_header Host minio:9000;
+
+        add_header Content-Security-Policy "default-src 'none'" always;
     }
 
     location /media-auth {
diff --git a/src/helm/impress/Chart.yaml b/src/helm/impress/Chart.yaml
index a4f4e344..c6a63e66 100644
--- a/src/helm/impress/Chart.yaml
+++ b/src/helm/impress/Chart.yaml
@@ -1,5 +1,5 @@
 apiVersion: v2
 type: application
 name: docs
-version: 2.2.0-beta.1
+version: 2.2.0-beta.2
 appVersion: latest
diff --git a/src/helm/impress/values.yaml b/src/helm/impress/values.yaml
index 75ee8f7c..fcf09730 100644
--- a/src/helm/impress/values.yaml
+++ b/src/helm/impress/values.yaml
@@ -170,6 +170,8 @@ ingressMedia:
     nginx.ingress.kubernetes.io/auth-url: https://impress.example.com/api/v1.0/documents/media-auth/
     nginx.ingress.kubernetes.io/auth-response-headers: "Authorization, X-Amz-Date, X-Amz-Content-SHA256"
     nginx.ingress.kubernetes.io/upstream-vhost: minio.impress.svc.cluster.local:9000
+    nginx.ingress.kubernetes.io/configuration-snippet: |
+      add_header Content-Security-Policy "default-src 'none'" always;
 
 ## @param serviceMedia.host
 ## @param serviceMedia.port