Use a stricter CSP setting for the API (!93369) · Merge requests · GitLab.org / GitLab

Heinrich Lee Yu requested to merge 368909-update-csp-for-api into master Jul 27, 2022

What does this MR do and why?

When we upgraded Rails to 6.1.5.1, Rails started adding CSP headers to non-HTML requests.

This change makes the CSP headers for our API endpoints shorter and stricter.

This is also related to gitlab-com/gl-infra/production#7516 (closed) where requests started failing because of large header sizes.

How to set up and validate locally

Make sure CSP is enabled (it is by default)
Open an API request (localhost:3000/api/v4/projects)
Verify the CSP header is set to the new value

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Edited Jul 27, 2022 by Heinrich Lee Yu

Use a stricter CSP setting for the API

What does this MR do and why?

How to set up and validate locally

MR acceptance checklist

Merge request reports