From b18c87dc8367a75d3aa2e60e56c59a024ba11c44 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pawe=C5=82=20Placzy=C5=84ski?= Date: Thu, 20 Jun 2024 10:06:43 +0200 Subject: [PATCH] Fix CSP issue blocking Sentry requests in Traefik configuration The Content Security Policy (CSP) was updated to resolve the issue that was blocking Sentry requests. Previously, the `connect-src` directive did not include wildcard entries for Sentry endpoints, causing POST requests to the Sentry API to fail. The configuration was adjusted to permit requests to any instance of Sentry under the `*.ingest.sentry.io` domain. This change ensures that error tracking and monitoring via Sentry can function correctly, as required by the user story. The updated CSP also maintains security best practices and has been tested to confirm successful transmission of error data to Sentry. --- scripts/govtool/config/templates/docker-compose.yml.tpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/govtool/config/templates/docker-compose.yml.tpl b/scripts/govtool/config/templates/docker-compose.yml.tpl index 5882aef20..3c56a1064 100644 --- a/scripts/govtool/config/templates/docker-compose.yml.tpl +++ b/scripts/govtool/config/templates/docker-compose.yml.tpl @@ -273,7 +273,7 @@ services: logging: *logging labels: - "traefik.enable=true" - - "traefik.http.middlewares.frontend-csp.headers.contentSecurityPolicy=default-src 'self'; img-src *.usersnap.com https://www.googletagmanager.com 'self' data:; script-src *.usersnap.com 'self' https://www.googletagmanager.com https://browser.sentry-cdn.com; style-src *.usersnap.com *.googleapis.com 'self' 'unsafe-inline' https://fonts.googleapis.com; connect-src *.usersnap.com https://s3.eu-central-1.amazonaws.com/upload.usersnap.com 'self' o4506155985141760.ingest.sentry.io *.google-analytics.com *.api.pdf.gov.tools; font-src *.usersnap.com *.gstatic.com 'self' https://fonts.gstatic.com data:; worker-src blob:" + - "traefik.http.middlewares.frontend-csp.headers.contentSecurityPolicy=default-src 'self'; img-src *.usersnap.com https://www.googletagmanager.com 'self' data:; script-src *.usersnap.com 'self' https://www.googletagmanager.com https://browser.sentry-cdn.com; style-src *.usersnap.com *.googleapis.com 'self' 'unsafe-inline' https://fonts.googleapis.com; connect-src *.usersnap.com https://s3.eu-central-1.amazonaws.com/upload.usersnap.com 'self' *.ingest.sentry.io *.google-analytics.com *.api.pdf.gov.tools; font-src *.usersnap.com *.gstatic.com 'self' https://fonts.gstatic.com data:; worker-src blob:" - "traefik.http.routers.to-frontend.rule=Host(``)" - "traefik.http.routers.to-frontend.entrypoints=websecure" - "traefik.http.routers.to-frontend.tls.certresolver=myresolver"