Fix docs.js suggested security issues

cisagov · Jan 6, 2025 · d68c667 · d68c667
1 parent 995fdfb
commit d68c667
Showing 1 changed file with 40 additions and 50 deletions.
diff --git a/frontend/scripts/docs.js b/frontend/scripts/docs.js
@@ -8,28 +8,15 @@ import fs from 'fs';
 
 export const app = express();
 
-// Rate limiting
 app.use(
   rateLimit({
-    windowMs: 15 * 60 * 1000, // 15 minutes
-    max: 1000 // Limit each IP to 1000 requests per windowMs
+    windowMs: 15 * 60 * 1000,
+    max: 1000
   })
-);
+); // limit 1000 requests per 15 minutes
 
-// Serve static assets with explicit MIME types
-app.use(
-  express.static(path.join(__dirname, '../docs-build'), {
-    setHeaders: (res, filePath) => {
-      if (filePath.endsWith('.js')) {
-        res.setHeader('Content-Type', 'application/javascript');
-      } else if (filePath.endsWith('.css')) {
-        res.setHeader('Content-Type', 'text/css');
-      }
-    }
-  })
-);
+app.use(express.static(path.join(__dirname, '../docs/build')));
 
-// CORS settings
 app.use(
   cors({
     origin: [
@@ -40,21 +27,33 @@ app.use(
   })
 );
 
-// Helmet for security headers
 app.use(
   helmet({
     contentSecurityPolicy: {
       directives: {
-        defaultSrc: ["'self'"],
-        scriptSrc: [
+        defaultSrc: [
           "'self'",
-          'https://ajax.googleapis.com',
-          'https://www.ssa.gov'
+          `${process.env.COGNITO_URL}`,
+          `${process.env.BACKEND_DOMAIN}`
         ],
-        styleSrc: ["'self'", "'unsafe-inline'"],
-        imgSrc: ["'self'", 'data:', 'https://www.ssa.gov'],
         frameSrc: ["'self'", 'https://www.dhs.gov/ntas/'],
-        objectSrc: ["'none'"]
+        imgSrc: [
+          "'self'",
+          'data:',
+          `https://${process.env.DOMAIN}`,
+          'https://www.ssa.gov',
+          'https://www.dhs.gov'
+        ],
+        objectSrc: ["'none'"],
+        scriptSrc: [
+          "'self'",
+          `${process.env.BACKEND_DOMAIN}`,
+          'https://ajax.googleapis.com/ajax/libs/jquery/3.7.1/jquery.min.js',
+          'https://www.ssa.gov/accessibility/andi/fandi.js',
+          'https://www.ssa.gov/accessibility/andi/andi.js',
+          'https://www.dhs.gov'
+        ],
+        frameAncestors: ["'none'"]
       }
     },
     hsts: {
@@ -65,50 +64,41 @@ app.use(
   })
 );
 
-// Middleware to set Cache-Control headers
+//Middleware to set Cache-Control headers
 app.use((req, res, next) => {
   res.setHeader('Cache-Control', 'no-cache, no-store, must-revalidate');
   next();
 });
 
-// Middleware to disable XSS protection
 app.use((req, res, next) => {
   res.setHeader('X-XSS-Protection', '0');
   next();
 });
 
-// Route to serve `/docs` directly
-app.get('/docs', (req, res) => {
-  res.sendFile(path.join(__dirname, '../docs-build/index.html'));
-});
-
-// Route to serve `/docs/*` for Gatsby client-side routing
-app.get('/docs/*', (req, res) => {
-  const rootFolder = path.join(__dirname, '../docs-build');
-  const requestedPath = req.path.replace('/docs', '');
-  const staticFilePath = path.join(rootFolder, requestedPath);
+// Serve static assets
+app.use(
+  express.static(path.join(__dirname, '../docs-build'), {
+    setHeaders: (res, filePath) => {
+      if (filePath.endsWith('.js')) {
+        res.setHeader('Content-Type', 'application/javascript');
+      }
+    }
+  })
+);
 
-  // Debugging logs for path resolution
-  console.log(`Requested path: ${requestedPath}`);
-  console.log(`Resolved file path: ${staticFilePath}`);
+// Fallback to index.html for client-side routing
+app.get('*', (req, res) => {
+  const staticFilePath = path.join(__dirname, '../docs-build', req.path);
 
-  // If the requested file exists, serve it
+  // Serve the file if it exists
   if (fs.existsSync(staticFilePath) && fs.lstatSync(staticFilePath).isFile()) {
-    console.log(`Serving file: ${staticFilePath}`);
     res.sendFile(staticFilePath);
   } else {
     // Fallback to index.html for client-side routing
-    console.log(`File not found, falling back to index.html`);
-    res.sendFile(path.join(rootFolder, 'index.html'));
+    res.sendFile(path.join(__dirname, '../docs-build/index.html'));
   }
 });
 
-// Fallback for all other routes (non /docs)
-app.get('*', (req, res) => {
-  res.status(404).send('Not Found');
-});
-
-// Serverless handler
 export const handler = serverless(app, {
   binary: ['image/*', 'font/*']
 });