Skip to content

Commit

Permalink
PP-11850 set FQDN for Reporting-Endpoints header (#3796)
Browse files Browse the repository at this point in the history 
updated express middleware that sets the Reporting-Endpoints header to use the FQDN of the frontend service
  • Loading branch information
@nlsteers
nlsteers authored Feb 6, 2024
1 parent b898996 commit 8cb4ba2
Show file tree
Hide file tree
Showing 3 changed files with 28 additions and 26 deletions.
1 change: 1 addition & 0 deletions .env.example
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ PORT=3000
CONNECTOR_HOST=http://127.0.0.1:9300
ADMINUSERS_URL=http://127.0.0.1:9700
CARDID_HOST=http://127.0.0.1:9900
FRONTEND_URL=http://127.0.0.1:3000
SECURE_COOKIE_OFF=false
COOKIE_MAX_AGE=5400000
SESSION_ENCRYPTION_KEY=naskjwefvwei72rjkwfmjwfi72rfkjwefmjwefiuwefjkbwfiu24fmjbwfk
Expand Down
49 changes: 25 additions & 24 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -95,30 +95,31 @@ Run in two separate terminals:

## Key environment variables

| variable | required | default value | Description |
|:-------------------------------------------------------------------------------------------------|:--------:|:-------------------------------------------------------------:|:---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `PORT` | X | 9200 | The port number for the express server to be bound at runtime |
| `SESSION_ENCRYPTION_KEY` | X | | key to be used by the cookie encryption algorithm. Should be a large unguessable string ([More Info](https://www.npmjs.com/package/client-sessions)). |
| `CONNECTOR_TOKEN_URL` | X | | The connector endpoint to use when validating the one time token. |
| `ANALYTICS_TRACKING_ID` | X | | Tracking ID to be used by 'Google-Analytics'. |
| `SECURE_COOKIE_OFF` | | false/undefined | To switch off generating secure cookies. Set this to `true` only if you are running self service in a `non HTTPS` environment. |
| `NODE_WORKER_COUNT` | | 1 | The number of worker threads started by node cluster when run in production mode |
| `WORLDPAY_3DS_FLEX_DDC_TEST_URL` | X | `https://secure-test.worldpay.com/shopper/3ds/ddc.html` | URL for Device Data Collection (DDC) initiation in TEST |
| `WORLDPAY_3DS_FLEX_DDC_LIVE_URL` | X | | URL for Device Data Collection (DDC) initiation in LIVE |
| `WORLDPAY_3DS_FLEX_CHALLENGE_TEST_URL` | X | `https://secure-test.worldpay.com/shopper/3ds/challenge.html` | Pointing to Worldpay's TEST 3ds flex challenge URL. |
| `WORLDPAY_3DS_FLEX_CHALLENGE_LIVE_URL` | X | `https://centinelapi.cardinalcommerce.com/V2/Cruise/StepUp` | Pointing to Worldpay's LIVE 3ds flex challenge URL. |
| `CSP_SEND_HEADER` | | false/undefined | Apply card payment contest security policy headers. |
| `CSP_ENFORCE` | | false/undefined | Browser will block content security policy violations if set to true, default is to only report on violations. |
| `CSP_REPORT_URI` | | | URI to receive CSP violation reports. |
| `GOOGLE_PAY_MERCHANT_ID` | | | Merchant ID used to identify GOV.UK Pay to Google when making a payment request. This ID is got from the Google Pay Developer Profile. |
| `GOOGLE_PAY_MERCHANT_ID_2` | | | The same as GOOGLE_PAY_MERCHANT_ID, but used to rotate to a new merchant id in a safe way. |
| `WORLDPAY_APPLE_PAY_ENABLED` | | true | Feature toggle that enables Apple Pay for Worldpay accounts |
| `WORLDPAY_GOOGLE_PAY_ENABLED` | | true | Feature toggle that enables Google Pay for Worldpay accounts |
| `STRIPE_APPLE_PAY_ENABLED` | | true | Feature toggle that enables Apple Pay for Stripe accounts |
| `STRIPE_GOOGLE_PAY_ENABLED` | | true | Feature toggle that enables Google Pay for Stripe accounts |
| `PAY_TEST_GATEWAY_ACCOUNTS` | | [""] | Gateway accounts that should ignore the wallet feature toggles |
| `STRIPE_TEST_PUBLISHABLE_API_KEY` | | | Non-secret Stripe API key we used by Google to process Stripe based Google Pay charges |
| `STRIPE_LIVE_PUBLISHABLE_API_KEY` | | | Non-secret Stripe API key we used by Google to process Stripe based Google Pay charges |
| variable | required | default value | Description |
|:---------------------------------------|:--------:|:-------------------------------------------------------------:|:------------------------------------------------------------------------------------------------------------------------------------------------------|
| `PORT` | X | 9200 | The port number for the express server to be bound at runtime |
| `SESSION_ENCRYPTION_KEY` | X | | key to be used by the cookie encryption algorithm. Should be a large unguessable string ([More Info](https://www.npmjs.com/package/client-sessions)). |
| `CONNECTOR_TOKEN_URL` | X | | The connector endpoint to use when validating the one time token. |
| `ANALYTICS_TRACKING_ID` | X | | Tracking ID to be used by 'Google-Analytics'. |
| `SECURE_COOKIE_OFF` | | false/undefined | To switch off generating secure cookies. Set this to `true` only if you are running self service in a `non HTTPS` environment. |
| `NODE_WORKER_COUNT` | | 1 | The number of worker threads started by node cluster when run in production mode |
| `WORLDPAY_3DS_FLEX_DDC_TEST_URL` | X | `https://secure-test.worldpay.com/shopper/3ds/ddc.html` | URL for Device Data Collection (DDC) initiation in TEST |
| `WORLDPAY_3DS_FLEX_DDC_LIVE_URL` | X | | URL for Device Data Collection (DDC) initiation in LIVE |
| `WORLDPAY_3DS_FLEX_CHALLENGE_TEST_URL` | X | `https://secure-test.worldpay.com/shopper/3ds/challenge.html` | Pointing to Worldpay's TEST 3ds flex challenge URL. |
| `WORLDPAY_3DS_FLEX_CHALLENGE_LIVE_URL` | X | `https://centinelapi.cardinalcommerce.com/V2/Cruise/StepUp` | Pointing to Worldpay's LIVE 3ds flex challenge URL. |
| `CSP_SEND_HEADER` | | false/undefined | Apply card payment contest security policy headers. |
| `CSP_ENFORCE` | | false/undefined | Browser will block content security policy violations if set to true, default is to only report on violations. |
| `CSP_REPORT_URI` | | | URI to receive CSP violation reports. |
| `GOOGLE_PAY_MERCHANT_ID` | | | Merchant ID used to identify GOV.UK Pay to Google when making a payment request. This ID is got from the Google Pay Developer Profile. |
| `GOOGLE_PAY_MERCHANT_ID_2` | | | The same as GOOGLE_PAY_MERCHANT_ID, but used to rotate to a new merchant id in a safe way. |
| `WORLDPAY_APPLE_PAY_ENABLED` | | true | Feature toggle that enables Apple Pay for Worldpay accounts |
| `WORLDPAY_GOOGLE_PAY_ENABLED` | | true | Feature toggle that enables Google Pay for Worldpay accounts |
| `STRIPE_APPLE_PAY_ENABLED` | | true | Feature toggle that enables Apple Pay for Stripe accounts |
| `STRIPE_GOOGLE_PAY_ENABLED` | | true | Feature toggle that enables Google Pay for Stripe accounts |
| `PAY_TEST_GATEWAY_ACCOUNTS` | | [""] | Gateway accounts that should ignore the wallet feature toggles |
| `STRIPE_TEST_PUBLISHABLE_API_KEY` | | | Non-secret Stripe API key we used by Google to process Stripe based Google Pay charges |
| `STRIPE_LIVE_PUBLISHABLE_API_KEY` | | | Non-secret Stripe API key we used by Google to process Stripe based Google Pay charges |
| `FRONTEND_URL` | | | Used to set the CSP `Reporting-Endpoint` header |

## Licence

Expand Down
4 changes: 2 additions & 2 deletions app/middleware/csp.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ const hasSubstr = require('../utils/has-substr')
const sendCspHeader = process.env.CSP_SEND_HEADER === 'true'
const enforceCsp = process.env.CSP_ENFORCE === 'true'
const allowUnsafeEvalScripts = process.env.CSP_ALLOW_UNSAFE_EVAL_SCRIPTS === 'true'

const frontendUrl = process.env.FRONTEND_URL || ''
// Script responsible for setting 'js-enabled' class, extends GOV.UK frontend `layout` which we have no control over
// and never changes
const govUkFrontendLayoutJsEnabledScriptHash = '\'sha256-+6WnXIl4mbFTCARd8N3COQmT3bJJmo32N8q8ZSQAIcU=\''
Expand Down Expand Up @@ -90,7 +90,7 @@ const worldpayIframeCSP = helmet({
})

const setReportingEndpoints = (req, res, next) => {
res.setHeader('Reporting-Endpoints', `${reportingEndpointName}=${paths.csp.path}`)
res.setHeader('Reporting-Endpoints', `${reportingEndpointName}=${frontendUrl}${paths.csp.path}`)
next()
}

Expand Down

0 comments on commit 8cb4ba2

Please sign in to comment.