From 5b39288318499d333099b6a131a2c2336969cfd2 Mon Sep 17 00:00:00 2001
From: Jonathan Fox <jf162@icloud.com>
Date: Fri, 17 Feb 2023 16:22:48 +0000
Subject: [PATCH 1/3] Updated app.helmet for CSP

Added CSP attributes to allow for localhost to run scripts.
---
 server.js | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/server.js b/server.js
index 9887c89..845d6ef 100644
--- a/server.js
+++ b/server.js
@@ -7,7 +7,17 @@ const hbs = require('hbs');
 const authn = require('./libs/authn');
 const helmet = require('helmet');
 const app = express();
-app.use(helmet());
+app.use(helmet({
+    contentSecurityPolicy: {
+        directives: {
+            ...helmet.contentSecurityPolicy.getDefaultDirectives(),
+            'script-src': ["'self'", "'unsafe-inline'", 'https://cdn.jsdelivr.net https://ajax.googleapis.com'],
+            'script-src-attr': ["'self'", "'unsafe-inline'"],
+            'style-src': ["'self'", "'unsafe-inline'", 'https://*.googleapis.com https://www.w3schools.com'],
+            'img-src': ['https:', 'data:'],
+        },
+    },
+}));
 
 
 app.set('view engine', 'html');

From 67c80caee48340f34a012e2861ebaad38058880e Mon Sep 17 00:00:00 2001
From: Jonathan Fox <jf162@icloud.com>
Date: Fri, 17 Feb 2023 16:38:27 +0000
Subject: [PATCH 2/3] Updated connect-src

updated connect-src to allow connection to cognito in csp
---
 server.js | 1 +
 1 file changed, 1 insertion(+)

diff --git a/server.js b/server.js
index 845d6ef..a1fafef 100644
--- a/server.js
+++ b/server.js
@@ -14,6 +14,7 @@ app.use(helmet({
             'script-src': ["'self'", "'unsafe-inline'", 'https://cdn.jsdelivr.net https://ajax.googleapis.com'],
             'script-src-attr': ["'self'", "'unsafe-inline'"],
             'style-src': ["'self'", "'unsafe-inline'", 'https://*.googleapis.com https://www.w3schools.com'],
+            'connect-src': ["'self'", 'https://cognito-idp.us-west-2.amazonaws.com/' ],
             'img-src': ['https:', 'data:'],
         },
     },

From e2cd7f3b1e7a51f8a4ecb97fcb4a2d20399a2432 Mon Sep 17 00:00:00 2001
From: Jonathan Fox <jf162@icloud.com>
Date: Mon, 20 Feb 2023 14:19:44 +0000
Subject: [PATCH 3/3] Added crossOriginEmbedderPolicy

policy: "credentialless" to allow for W3 css to load
---
 server.js | 1 +
 1 file changed, 1 insertion(+)

diff --git a/server.js b/server.js
index a1fafef..d6b1935 100644
--- a/server.js
+++ b/server.js
@@ -19,6 +19,7 @@ app.use(helmet({
         },
     },
 }));
+app.use(helmet.crossOriginEmbedderPolicy({ policy: "credentialless" }));
 
 
 app.set('view engine', 'html');