Add CSP and rename docker network

docker-compose.yml

@@ -6,7 +6,7 @@ services:
     ports:
       - '11000:3000'
     networks:
-      - rumor_party_line
+      - internal
     environment:
       PORT: '3000'
       CLIENT_URL: 'https://rumor.orangemayhem.net'
@@ -16,5 +16,5 @@ services:
       DOCKER: 'true'
 
 networks:
-  rumor_party_line:
+  internal:
     external: false

server/src/server.ts

@@ -37,21 +37,39 @@ app.use(helmet());
 app.use(limiter);
 app.use('/', express.static(path.join(__dirname, '../static')));
 
-// Navigate to the admin route in the client
-app.get('/admin', (_req, res) => {
-  res.sendFile(path.resolve(__dirname, '../static', 'index.html'));
-});
-
-// Force HTTPS redirection in production
-if (process.env.ENVIRONMENT !== 'development') {
-  app.use((req, res, next) => {
+// Force HTTPS redirection and CSP in production
+if (process.env.ENVIRONMENT === 'production') {
+  app.use((req: any, res: any, next: any) => {
     if (req.headers['x-forwarded-proto'] !== 'https') {
       return res.redirect(`https://${req.headers.host}${req.url}`);
     }
     next();
   });
+
+  app.use(
+      helmet.contentSecurityPolicy({
+        useDefaults: true,
+        directives: {
+          'script-src': ['\'self\''],
+          'img-src': ['\'self\'', 'data:'],
+          'connect-src': ['\'self\'']
+        }
+      })
+  );
+} else {
+  // Disable https preference for non-prod
+  app.use(
+      helmet({
+        contentSecurityPolicy: false,
+      }),
+  );
 }
 
+// Navigate to the admin route in the client
+app.get('/admin', (_req: any, res: any) => {
+  res.sendFile(path.resolve(__dirname, '../static', 'index.html'));
+});
+
 // Maximum number of party lines allowed
 const MAX_PARTY_LINES = Number(process.env.MAX_PARTY_LINES);