cdao-pjet/config/initializers/secure_headers.rb

force_ssl = %w[production].any? { |a| Rails.env == a } ? true : false

# rubocop:disable Lint/PercentStringArray
default_src = force_ssl ? %w(https: 'self') : %w('self')
connect_src = %w('self')
font_src = %w('self' data:)
img_src = %w('self' data:)
media_src = %w('self' data:)
object_src = %w('self')
script_src = %w('self' 'unsafe-inline' 'unsafe-eval')
style_src = %w('self' 'unsafe-inline' data:)
frame_ancestors_src = %w('self')

img_src << "*.google-analytics.com bam.nr-data.net stats.g.doubleclick.net"
connect_src << "*.google-analytics.com bam.nr-data.net cloudflareinsights.com "
font_src << "fonts.gstatic.com"
script_src << "www.google-analytics.com www.googletagmanager.com *.newrelic.com bam.nr-data.net *.cloudflare.com *.cloudflareinsights.com code.jquery.com"
script_src << "www.recaptcha.net www.gstatic.com" if ENV["RECAPTCHA_ENABLED"] == "on"

if ENV["SENTRY_DSN"].present?
  connect_src << "*.ingest.sentry.io"
  script_src << "*.sentry-cdn.com"
end

object_src << "application/x-shockwave-flash application/pdf"

csp = {
  preserve_schemes: force_ssl,
  default_src: default_src,
  block_all_mixed_content: force_ssl,
  connect_src: connect_src.uniq,
  font_src: font_src.uniq,
  form_action: %w('self'),
  frame_ancestors: frame_ancestors_src.uniq,
  img_src: img_src.uniq,
  manifest_src: %w('self'),
  media_src: media_src.uniq,
  object_src: object_src.uniq,
  sandbox: false,
  script_src: script_src.uniq,
  style_src: style_src.uniq,
  worker_src: %w['self' blob:],
  upgrade_insecure_requests: force_ssl
}
# rubocop:enable Lint/PercentStringArray

SecureHeaders::Configuration.default do |config|
  config.cookies = {
    secure: force_ssl || SecureHeaders::OPT_OUT,
    httponly: true,
    samesite: {
      lax: true
    }
  }
  config.x_frame_options = "DENY"
  config.x_content_type_options = "nosniff"
  config.x_xss_protection = "1; mode=block"
  config.x_download_options = "noopen"
  config.x_permitted_cross_domain_policies = "none"
  config.referrer_policy = %w(origin-when-cross-origin strict-origin-when-cross-origin)

  config.csp = csp

  if ENV["REPORT_URI_URL"].present?
    config.csp[:report_uri] ||= %w()
    config.csp[:report_uri] << ENV["REPORT_URI_URL"]
  end
end