From ac65c8de4a65f8ec1578fcebaa695eb414a089bb Mon Sep 17 00:00:00 2001
From: simeng-li <simeng@silverhand.io>
Date: Wed, 17 May 2023 14:00:01 +0800
Subject: [PATCH] refactor(core): remove the reportOnly flag (#3849)

* refactor(core): remove the reportOnly flag

remove all the reportOnly flag of the CSP security headers. Bring up strict policy check

* chore: add changeset

add changeset
---
 .changeset/cool-oranges-cheer.md                       | 8 ++++++++
 packages/cloud/src/middleware/with-security-headers.ts | 2 --
 packages/core/src/middleware/koa-security-headers.ts   | 4 ----
 3 files changed, 8 insertions(+), 6 deletions(-)
 create mode 100644 .changeset/cool-oranges-cheer.md

diff --git a/.changeset/cool-oranges-cheer.md b/.changeset/cool-oranges-cheer.md
new file mode 100644
index 000000000..e34e961b5
--- /dev/null
+++ b/.changeset/cool-oranges-cheer.md
@@ -0,0 +1,8 @@
+---
+"@logto/cloud": patch
+"@logto/core": patch
+---
+
+### Enable strict CSP policy check header
+
+This change removes the report only flag from CSP security header settings, which will enables the strict CSP policy check for all requests.
diff --git a/packages/cloud/src/middleware/with-security-headers.ts b/packages/cloud/src/middleware/with-security-headers.ts
index 901fb4dd2..98ca47b4f 100644
--- a/packages/cloud/src/middleware/with-security-headers.ts
+++ b/packages/cloud/src/middleware/with-security-headers.ts
@@ -86,8 +86,6 @@ export default function withSecurityHeaders<InputContext extends RequestContext>
         frameguard: false,
         contentSecurityPolicy: {
           useDefaults: true,
-          // Temporary set to report only to avoid breaking the app
-          reportOnly: true,
           directives: {
             'upgrade-insecure-requests': null,
             imgSrc: ["'self'", 'data:', 'https:'],
diff --git a/packages/core/src/middleware/koa-security-headers.ts b/packages/core/src/middleware/koa-security-headers.ts
index fc972fa8a..2cf542ccd 100644
--- a/packages/core/src/middleware/koa-security-headers.ts
+++ b/packages/core/src/middleware/koa-security-headers.ts
@@ -76,8 +76,6 @@ export default function koaSecurityHeaders<StateT, ContextT, ResponseBodyT>(
     },
     contentSecurityPolicy: {
       useDefaults: true,
-      // Temporary set to report only to avoid breaking the app
-      reportOnly: true,
       directives: {
         'upgrade-insecure-requests': null,
         imgSrc: ["'self'", 'data:', 'https:'],
@@ -103,8 +101,6 @@ export default function koaSecurityHeaders<StateT, ContextT, ResponseBodyT>(
     frameguard: false,
     contentSecurityPolicy: {
       useDefaults: true,
-      // Temporary set to report only to avoid breaking the app
-      reportOnly: true,
       directives: {
         'upgrade-insecure-requests': null,
         imgSrc: ["'self'", 'data:', 'https:'],