diff --git a/.env.example b/.env.example index c7d9e34f3..0580a0041 100644 --- a/.env.example +++ b/.env.example @@ -2,6 +2,7 @@ PORT=3000 CONNECTOR_HOST=http://127.0.0.1:9300 ADMINUSERS_URL=http://127.0.0.1:9700 CARDID_HOST=http://127.0.0.1:9900 +FRONTEND_URL=http://127.0.0.1:3000 SECURE_COOKIE_OFF=false COOKIE_MAX_AGE=5400000 SESSION_ENCRYPTION_KEY=naskjwefvwei72rjkwfmjwfi72rfkjwefmjwefiuwefjkbwfiu24fmjbwfk diff --git a/README.md b/README.md index ae3d6f0f6..b1e84d411 100644 --- a/README.md +++ b/README.md @@ -95,30 +95,31 @@ Run in two separate terminals: ## Key environment variables -| variable | required | default value | Description | -|:-------------------------------------------------------------------------------------------------|:--------:|:-------------------------------------------------------------:|:---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `PORT` | X | 9200 | The port number for the express server to be bound at runtime | -| `SESSION_ENCRYPTION_KEY` | X | | key to be used by the cookie encryption algorithm. Should be a large unguessable string ([More Info](https://www.npmjs.com/package/client-sessions)). | -| `CONNECTOR_TOKEN_URL` | X | | The connector endpoint to use when validating the one time token. | -| `ANALYTICS_TRACKING_ID` | X | | Tracking ID to be used by 'Google-Analytics'. | -| `SECURE_COOKIE_OFF` | | false/undefined | To switch off generating secure cookies. Set this to `true` only if you are running self service in a `non HTTPS` environment. | -| `NODE_WORKER_COUNT` | | 1 | The number of worker threads started by node cluster when run in production mode | -| `WORLDPAY_3DS_FLEX_DDC_TEST_URL` | X | `https://secure-test.worldpay.com/shopper/3ds/ddc.html` | URL for Device Data Collection (DDC) initiation in TEST | -| `WORLDPAY_3DS_FLEX_DDC_LIVE_URL` | X | | URL for Device Data Collection (DDC) initiation in LIVE | -| `WORLDPAY_3DS_FLEX_CHALLENGE_TEST_URL` | X | `https://secure-test.worldpay.com/shopper/3ds/challenge.html` | Pointing to Worldpay's TEST 3ds flex challenge URL. | -| `WORLDPAY_3DS_FLEX_CHALLENGE_LIVE_URL` | X | `https://centinelapi.cardinalcommerce.com/V2/Cruise/StepUp` | Pointing to Worldpay's LIVE 3ds flex challenge URL. | -| `CSP_SEND_HEADER` | | false/undefined | Apply card payment contest security policy headers. | -| `CSP_ENFORCE` | | false/undefined | Browser will block content security policy violations if set to true, default is to only report on violations. | -| `CSP_REPORT_URI` | | | URI to receive CSP violation reports. | -| `GOOGLE_PAY_MERCHANT_ID` | | | Merchant ID used to identify GOV.UK Pay to Google when making a payment request. This ID is got from the Google Pay Developer Profile. | -| `GOOGLE_PAY_MERCHANT_ID_2` | | | The same as GOOGLE_PAY_MERCHANT_ID, but used to rotate to a new merchant id in a safe way. | -| `WORLDPAY_APPLE_PAY_ENABLED` | | true | Feature toggle that enables Apple Pay for Worldpay accounts | -| `WORLDPAY_GOOGLE_PAY_ENABLED` | | true | Feature toggle that enables Google Pay for Worldpay accounts | -| `STRIPE_APPLE_PAY_ENABLED` | | true | Feature toggle that enables Apple Pay for Stripe accounts | -| `STRIPE_GOOGLE_PAY_ENABLED` | | true | Feature toggle that enables Google Pay for Stripe accounts | -| `PAY_TEST_GATEWAY_ACCOUNTS` | | [""] | Gateway accounts that should ignore the wallet feature toggles | -| `STRIPE_TEST_PUBLISHABLE_API_KEY` | | | Non-secret Stripe API key we used by Google to process Stripe based Google Pay charges | -| `STRIPE_LIVE_PUBLISHABLE_API_KEY` | | | Non-secret Stripe API key we used by Google to process Stripe based Google Pay charges | +| variable | required | default value | Description | +|:---------------------------------------|:--------:|:-------------------------------------------------------------:|:------------------------------------------------------------------------------------------------------------------------------------------------------| +| `PORT` | X | 9200 | The port number for the express server to be bound at runtime | +| `SESSION_ENCRYPTION_KEY` | X | | key to be used by the cookie encryption algorithm. Should be a large unguessable string ([More Info](https://www.npmjs.com/package/client-sessions)). | +| `CONNECTOR_TOKEN_URL` | X | | The connector endpoint to use when validating the one time token. | +| `ANALYTICS_TRACKING_ID` | X | | Tracking ID to be used by 'Google-Analytics'. | +| `SECURE_COOKIE_OFF` | | false/undefined | To switch off generating secure cookies. Set this to `true` only if you are running self service in a `non HTTPS` environment. | +| `NODE_WORKER_COUNT` | | 1 | The number of worker threads started by node cluster when run in production mode | +| `WORLDPAY_3DS_FLEX_DDC_TEST_URL` | X | `https://secure-test.worldpay.com/shopper/3ds/ddc.html` | URL for Device Data Collection (DDC) initiation in TEST | +| `WORLDPAY_3DS_FLEX_DDC_LIVE_URL` | X | | URL for Device Data Collection (DDC) initiation in LIVE | +| `WORLDPAY_3DS_FLEX_CHALLENGE_TEST_URL` | X | `https://secure-test.worldpay.com/shopper/3ds/challenge.html` | Pointing to Worldpay's TEST 3ds flex challenge URL. | +| `WORLDPAY_3DS_FLEX_CHALLENGE_LIVE_URL` | X | `https://centinelapi.cardinalcommerce.com/V2/Cruise/StepUp` | Pointing to Worldpay's LIVE 3ds flex challenge URL. | +| `CSP_SEND_HEADER` | | false/undefined | Apply card payment contest security policy headers. | +| `CSP_ENFORCE` | | false/undefined | Browser will block content security policy violations if set to true, default is to only report on violations. | +| `CSP_REPORT_URI` | | | URI to receive CSP violation reports. | +| `GOOGLE_PAY_MERCHANT_ID` | | | Merchant ID used to identify GOV.UK Pay to Google when making a payment request. This ID is got from the Google Pay Developer Profile. | +| `GOOGLE_PAY_MERCHANT_ID_2` | | | The same as GOOGLE_PAY_MERCHANT_ID, but used to rotate to a new merchant id in a safe way. | +| `WORLDPAY_APPLE_PAY_ENABLED` | | true | Feature toggle that enables Apple Pay for Worldpay accounts | +| `WORLDPAY_GOOGLE_PAY_ENABLED` | | true | Feature toggle that enables Google Pay for Worldpay accounts | +| `STRIPE_APPLE_PAY_ENABLED` | | true | Feature toggle that enables Apple Pay for Stripe accounts | +| `STRIPE_GOOGLE_PAY_ENABLED` | | true | Feature toggle that enables Google Pay for Stripe accounts | +| `PAY_TEST_GATEWAY_ACCOUNTS` | | [""] | Gateway accounts that should ignore the wallet feature toggles | +| `STRIPE_TEST_PUBLISHABLE_API_KEY` | | | Non-secret Stripe API key we used by Google to process Stripe based Google Pay charges | +| `STRIPE_LIVE_PUBLISHABLE_API_KEY` | | | Non-secret Stripe API key we used by Google to process Stripe based Google Pay charges | +| `FRONTEND_URL` | | | Used to set the CSP `Reporting-Endpoint` header | ## Licence diff --git a/app/middleware/csp.js b/app/middleware/csp.js index 64029344f..efd96b6a8 100644 --- a/app/middleware/csp.js +++ b/app/middleware/csp.js @@ -9,7 +9,7 @@ const hasSubstr = require('../utils/has-substr') const sendCspHeader = process.env.CSP_SEND_HEADER === 'true' const enforceCsp = process.env.CSP_ENFORCE === 'true' const allowUnsafeEvalScripts = process.env.CSP_ALLOW_UNSAFE_EVAL_SCRIPTS === 'true' - +const frontendUrl = process.env.FRONTEND_URL || '' // Script responsible for setting 'js-enabled' class, extends GOV.UK frontend `layout` which we have no control over // and never changes const govUkFrontendLayoutJsEnabledScriptHash = '\'sha256-+6WnXIl4mbFTCARd8N3COQmT3bJJmo32N8q8ZSQAIcU=\'' @@ -90,7 +90,7 @@ const worldpayIframeCSP = helmet({ }) const setReportingEndpoints = (req, res, next) => { - res.setHeader('Reporting-Endpoints', `${reportingEndpointName}=${paths.csp.path}`) + res.setHeader('Reporting-Endpoints', `${reportingEndpointName}=${frontendUrl}${paths.csp.path}`) next() }