Yeovil Hospital's SIDeR contextual link obfuscation service
License: MIT License
๐ฅ I work for a clinical software developer working with the NHS.
Previously worked within the NHS over six years across Taunton and Somerset NHSFT, Yeovil District Hospital NHSFT, and Somerset NHSFT, as an information analyst and then an interface developer.
Have a nack for automating myself out of employment.
![dependabot[bot] avatar](https://avatars.githubusercontent.com/in/29110?v=4 "dependabot[bot]")
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "github-actions[bot]")
Flagged by Lighthouse, nonces or hashes should be used in script-src and style-src directives of the Content-Security-Policy response header.
'unsafe-inline' is currently used in the CSP response header of the /docs route, which allows the execution of unsafe in-page scripts and event handlers:
https://github.com/Fdawgs/ydh-sider-obfuscation-service/blob/b91ee035fe2d8b71d1ea7097c462529f557cda21/src/server.js#L127-L128
The @fastify/helmet plugin provides an option to generate nonces and it should be possible to pass these values to the redoc object via the nonce option.
I have written a descriptive title
I have searched existing feature requests to ensure it has not already been proposed
I agree to follow the Code of Conduct that this project adheres to
As title states.
Should further restrict access to service.
Clinical systems in use at YDH do not allow modification of request HTTP headers in contextual links, only the query string. So cannot use bearer token auth from header.
Nodemon doesn't play well with it, on Windows at least
Yeovil District Hospital NHS Foundation Trust is due to merge with Somerset NHS Foundation Trust on 2023-04-01, and YDH NHSFT will cease to exist as an organisation.
I have written a descriptive title
I have searched existing feature requests to ensure it has not already been proposed
I agree to follow the Code of Conduct that this project adheres to
Some HTTP headers do not make sense to be sent for non-HTML/XML resources, as sending them does not provide any value to users and contributes to header bloat.
Examples include content-security-policy and x-xss-protection for the PNG images on the doc pages and for the JSON responses in the API itself.
The only CSP directive that may be of use is frame-ancestors 'none' to stop responses from being wrapped in iframes.
I have written a descriptive title
I have searched existing feature requests to ensure it has not already been proposed
I agree to follow the Code of Conduct that this project adheres to
Also support application/xml
I have written a descriptive issue title
I have searched existing issues to ensure it has not already been reported
I agree to follow the Code of Conduct that this project adheres to
8.0.0
16.14.2
Windows
10
See fastify/fastify-swagger#117
Navigate to /docs/openapi
No response
I have written a descriptive title
I have searched existing feature requests to ensure it has not already been proposed
I agree to follow the Code of Conduct that this project adheres to
See example: https://vdp.cabinetoffice.gov.uk/.well-known/security.txt
I have written a descriptive title
I have searched existing feature requests to ensure it has not already been proposed
I agree to follow the Code of Conduct that this project adheres to
User should be able to continue to redirect URL and manually login, but the keycloak params will be removed from the URL.
Is your feature request related to a problem? Please describe.
Stop staff from hammering the button in the PAS, and flooding keycloak and such with requests
Route is far too buggy, and shows up in security audits as being THE weak point too often.
Will replace with a pure OpenAPI spec route instead.
I have written a descriptive title
I have searched existing feature requests to ensure it has not already been proposed
I agree to follow the Code of Conduct that this project adheres to
Revisit once Node 20 is released and Undici is a bit more stable.
Regex to validate practitioner query string param is potentially unsafe:
Moving the logging to a worker thread would reduce blocking of main thread.
See following for supporting info:
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google โค๏ธ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.
