Content Security Policy for Spring
May 15, 2023
This site utilizes Google Analytics, Google AdSense, as well as participates in affiliate partnerships with various companies including Amazon. Please view the privacy policy for more details.
To help secure Spring applications, I created a Content Security Policy builder and bean and published it to Maven Central.
The code is available on GitHub.
Here’s the dependency information for a Maven POM file:
<dependency>
<groupId>com.joehxblog</groupId>
<artifactId>spring-content-security-policy</artifactId>
<version>0.6.0.3</version>
</dependency>
And here’s a repeat of the README file:
Content Security Policy for Spring
What is a Content Security Policy?
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
How to use
import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.web.SecurityFilterChain; import com.joehxblog.spring.csp.ContentSecurityPolicy; @Configuration public class Config { private ContentSecurityPolicy csp = new ContentSecurityPolicy(); @Bean public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { return csp.filterChain(http); } }Or write your own:
import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.web.SecurityFilterChain; import com.joehxblog.spring.csp.ContentSecurityPolicy; @Configuration public class Config { private ContentSecurityPolicy csp = new ContentSecurityPolicy("default-src 'self'"); @Bean public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { return csp.filterChain(http); } }Or use the builder:
import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.web.SecurityFilterChain; import com.joehxblog.spring.csp.ContentSecurityPolicy; import com.joehxblog.spring.csp.directive.FetchDirective; import com.joehxblog.spring.csp.value.KeywordValue; @Configuration public class Config { private ContentSecurityPolicy csp = ContentSecurityPolicy.build() .add(FetchDirective.DEFAULT_SRC, KeywordValue.SELF) .build(); @Bean public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { return csp.filterChain(http); } }
Enjoy!
Leave a Reply
Thank you. Your comment will be visible after approval.
Your comment has been submitted, but their seems to be an error. Check your browser console for more details.