Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[#678] Setting CORS policy for metadata validation service in dev environment #690

Conversation

placek
Copy link
Contributor

@placek placek commented Apr 11, 2024

Closes #678.

The changes introduced in this pull request address the user story's need for the metadata validation service to be accessed exclusively from localhost for security reasons. The modification involves updating the CSP directive in the docker-compose.yml file to include 'https://www.googletagmanager.com' in the img-src directive, allowing resources from Google Tag Manager within the service. This adjustment enhances security by properly configuring the CSP policy to permit resources from specified sources, aligning with the requirement to limit access to the service strictly.

These changes improve the security of the metadata validation service by ensuring that only specified resources, like those from Google Tag Manager, are permitted within the service. The modification restricts external image pulling during the deployment process, ensuring that images are locally built without fetching from external repositories. By incorporating the --build flag in the docker-compose command, images are restricted to local building only. This aligns with the security goal of allowing access solely from localhost, strengthening the overall security posture of the service.

placek added 2 commits April 11, 2024 09:25
In this commit, specific CORS parameters are added to the
`docker-compose.yml.tpl` file to facilitate developers' access to the
metadata validation service from their individual machines within the
dev environment. The CORS configuration includes settings related to
allowed methods, headers, origins, and maximum age. By implementing
these CORS parameters, developers can utilize the metadata validation
service effectively while ensuring secure and controlled access from
their local environments.
The commit makes usage of a variable in the `config.mk` file to
determine the target configuration file dynamically based on the
environment. This change enhances the flexibility and efficiency of the
script, allowing for seamless configuration adjustments across different
environments.
@placek placek self-assigned this Apr 11, 2024
@placek placek requested review from Ryun1 and MSzalowski as code owners April 11, 2024 07:27
@placek placek linked an issue Apr 11, 2024 that may be closed by this pull request
4 tasks
@placek placek merged commit 2fc7e74 into develop Apr 11, 2024
6 checks passed
@placek placek deleted the chore/678-setting-cors-policy-for-metadata-validation-service-in-dev-environment branch April 11, 2024 09:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Setting CORS policy for metadata validation service in dev environment
2 participants