Merge branch '71-improve-website-security-settings' into 'master'

Resolve "Improve website security settings"

Closes #71

See merge request totem/website!56

.htaccess

+Header set Strict-Transport-Security "max-age=63072000"
+Header set X-Frame-Options "SAMEORIGIN"
+Header set X-Content-Type-Options "nosniff"

deploy.sh

@@ -12,6 +12,9 @@ mkdir -p ~/.ssh
 apt-get update
 apt-get install -y rsync
 
+# Copy .htaccess into build folder.
+cp .htaccess build/
+
 # Upload site.
 rsync -r --verbose --compress --delete --exclude js-components ./build/ \
   "${FTP_USER}@ftp.greenhost.nl:${DOMAIN_NAME}/${SUBDOMAIN}"

source/javascripts/index.js

@@ -64,17 +64,23 @@
         this.setAttribute("rel", "noreferrer noopener");
       }
     });
-  });
-  document.setLangCookie = function(lang) {
-     var expiryDate = new Date();
-     expiryDate = expiryDate.setMonth(expiryDate.getMonth() + 12);
-     var domain = window.location.hostname;
-     var cookieParams = "domain=." + domain + ";path=/;SameSite=Strict;";
-     if (window.location.protocol == "https") {
-        cookieParams += "secure=true;";
-     }
-     document.cookie = "openedx-language-preference=" + lang + ";expires=" + expiryDate + ";" + cookieParams;
-  };
 
+    var setLangCookie = function(lang) {
+       var expiryDate = new Date();
+       expiryDate = expiryDate.setMonth(expiryDate.getMonth() + 12);
+       var domain = window.location.hostname;
+       var cookieParams = "domain=." + domain + ";path=/;SameSite=Strict;";
+       if (window.location.protocol == "https:") {
+          cookieParams += "secure=true;";
+       }
+       document.cookie = "openedx-language-preference=" + lang + ";expires=" + expiryDate + ";" + cookieParams;
+    };
+    // Get locale from current path
+    var locale = window.location.pathname.split('/')[1];
+    // If the locale string is empty or ends with .html, we're on an English page
+    if (locale == "" || locale.endsWith(".html")) {
+      locale = "en";
+    }
+    setLangCookie(locale);
+  });
 })(jQuery, window, document);
-

source/layouts/layout.erb

@@ -3,6 +3,9 @@
   <head>
     <meta charset="utf-8">
     <meta http-equiv="x-ua-compatible" content="ie=edge">
+    <meta http-equiv="x-ua-compatible" content="ie=edge">
+    <meta http-equiv="X-XSS-Protection" content="1; mode=block">
+    <meta http-equiv="Content-Security-Policy" content="default-src 'self'; font-src 'self' fonts.gstatic.com; style-src 'self' fonts.googleapis.com; img-src 'self' learn.totem-project.org;">
     <meta name="viewport"
           content="width=device-width, initial-scale=1, shrink-to-fit=no">
     <meta name="description" content="Join the totem project to learn more about security on the web">

source/partials/_footer.html.erb

@@ -3,7 +3,7 @@
       <div class="container">
         <div class="row">
           <div class="col-md-4">
-            <span class="copyright"><a rel="license" href="http://creativecommons.org/licenses/by-sa/4.0/"><img alt="Creative Commons License" style="border-width:0" src="https://i.creativecommons.org/l/by-sa/4.0/80x15.png" /></a></span>
+            <span class="copyright"><a rel="license" href="http://creativecommons.org/licenses/by-sa/4.0/"><img alt="Creative Commons License" src="/img/cc-by-sa.png" /></a></span>
           </div>
           <div class="col-md-8">
             <ul class="list-inline quicklinks">

source/partials/_nav.html.erb

@@ -35,7 +35,7 @@ end
                 <ul class="dropdown-menu" aria-labelledby="dropdownMenuButton">
                   <% I18n.available_locales.select{|l| l != ::I18n.locale}.each do |loc| %>
                     <li class="dropdown-item">
-                      <%= link_to(config[:locales][loc][:name], "/index.html", :locale => loc, :class => "nav-link", :onclick => "setLangCookie('#{loc}')") %>
+                      <%= link_to(config[:locales][loc][:name], "/index.html", :locale => loc, :class => "nav-link") %>
                     </li>
                   <% end %>
                 </ul>