backend.ai-webui/customHttp.yml at main · lablup/backend.ai-webui · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
# AWS Amplify Hosting — custom HTTP response headers (monorepo).
#
# LOCATION & SCHEMA
#
# This file must live at the **repo root** with the name
# `customHttp.yml`. AWS Amplify reads it from the default branch and
# applies the rules to every Amplify Hosting response served from any
# `applications[].appRoot` matched below. The monorepo schema requires
# the top-level `applications:` array; each entry's `appRoot` MUST
# match the "App root" configured in that app's Amplify console.
#
# Why this file and not `amplify.yml`:
#   AWS explicitly recommends migrating custom headers OUT of
#   `amplify.yml` and into `customHttp.yml`. The amplify.yml-embedded
#   form is the legacy path. See:
#     https://docs.aws.amazon.com/amplify/latest/userguide/custom-headers.html
#     https://docs.aws.amazon.com/amplify/latest/userguide/monorepo-custom-headers.html
#     https://docs.aws.amazon.com/amplify/latest/userguide/custom-header-YAML-format.html
#
# Precedence:
#   Values declared here OVERRIDE the same header set via the Amplify
#   console "Custom headers" panel. Keep the per-app console panel
#   empty so this file is the single source of truth.
#
# BASELINE HEADER SET (applied to all three apps)
#
#   Strict-Transport-Security      Pin HTTPS for 1y, includeSubDomains.
#                                  Amplify always serves over HTTPS, so
#                                  this is purely a downgrade-attack
#                                  defense. `preload` intentionally
#                                  omitted — needs lablup.com / *.app
#                                  alignment before submitting to the
#                                  HSTS preload list.
#   X-Frame-Options: DENY          Clickjacking defense (legacy browsers).
#   Content-Security-Policy:
#     frame-ancestors 'none'       Modern clickjacking defense; this is
#                                  the only CSP directive we set because
#                                  the WebUI talks to user-supplied
#                                  Backend.AI endpoints discovered at
#                                  runtime, so `default-src` / `connect-src`
#                                  whitelisting is not viable here.
#                                  Tightening CSP further is a future FR.
#   X-Content-Type-Options: nosniff   Block MIME sniffing.
#   Referrer-Policy:
#     strict-origin-when-cross-origin  Don't leak path/query cross-origin.
#   Permissions-Policy             Disable camera / mic / geolocation; opt
#                                  out of FLoC (interest-cohort).

applications:
  # WebUI docs site — App root: packages/backend.ai-webui-docs
  - appRoot: packages/backend.ai-webui-docs
    customHeaders:
      - pattern: "**"
        headers:
          - key: "Strict-Transport-Security"
            value: "max-age=31536000; includeSubDomains"
          - key: "X-Frame-Options"
            value: "DENY"
          - key: "Content-Security-Policy"
            value: "frame-ancestors 'none'"
          - key: "X-Content-Type-Options"
            value: "nosniff"
          - key: "Referrer-Policy"
            value: "strict-origin-when-cross-origin"
          - key: "Permissions-Policy"
            value: "camera=(), microphone=(), geolocation=(), interest-cohort=()"

  # WebUI React app — App root: react
  - appRoot: react
    customHeaders:
      - pattern: "**"
        headers:
          - key: "Strict-Transport-Security"
            value: "max-age=31536000; includeSubDomains"
          - key: "X-Frame-Options"
            value: "DENY"
          - key: "Content-Security-Policy"
            value: "frame-ancestors 'none'"
          - key: "X-Content-Type-Options"
            value: "nosniff"
          - key: "Referrer-Policy"
            value: "strict-origin-when-cross-origin"
          - key: "Permissions-Policy"
            value: "camera=(), microphone=(), geolocation=(), interest-cohort=()"

  # Storybook (backend.ai-ui) — App root: packages/backend.ai-ui
  #
  # NOTE: Storybook's manager shell renders every component preview by
  # embedding `iframe.html` in a same-origin <iframe>. The baseline
  # `X-Frame-Options: DENY` + `frame-ancestors 'none'` used by the other
  # apps blocks ALL framing — including same-origin — so the preview pane
  # comes up blank for every story/doc. This app therefore relaxes the
  # framing headers to SAMEORIGIN / `frame-ancestors 'self'`, which still
  # blocks cross-origin clickjacking but lets the manager → preview iframe
  # load. The remaining baseline headers are unchanged.
  - appRoot: packages/backend.ai-ui
    customHeaders:
      - pattern: "**"
        headers:
          - key: "Strict-Transport-Security"
            value: "max-age=31536000; includeSubDomains"
          - key: "X-Frame-Options"
            value: "SAMEORIGIN"
          - key: "Content-Security-Policy"
            value: "frame-ancestors 'self'"
          - key: "X-Content-Type-Options"
            value: "nosniff"
          - key: "Referrer-Policy"
            value: "strict-origin-when-cross-origin"
          - key: "Permissions-Policy"
            value: "camera=(), microphone=(), geolocation=(), interest-cohort=()"