Content Security Policy for Spring



This site utilizes Google Analytics, Google AdSense, as well as participates in affiliate partnerships with various companies including Amazon. Please view the privacy policy for more details.

To help secure Spring applications, I created a Content Security Policy builder and bean and published it to Maven Central.

The code is available on GitHub.

Here’s the dependency information for a Maven POM file:

<dependency>
    <groupId>com.joehxblog</groupId>
    <artifactId>spring-content-security-policy</artifactId>
    <version>0.6.0.3</version>
</dependency>

And here’s a repeat of the README file:

Content Security Policy for Spring

What is a Content Security Policy?

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy

How to use

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.web.SecurityFilterChain;

import com.joehxblog.spring.csp.ContentSecurityPolicy;

@Configuration
public class Config {
    private ContentSecurityPolicy csp = new ContentSecurityPolicy();
    
    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        return csp.filterChain(http);
    }
}

Or write your own:

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.web.SecurityFilterChain;

import com.joehxblog.spring.csp.ContentSecurityPolicy;

@Configuration
public class Config {
    private ContentSecurityPolicy csp = new ContentSecurityPolicy("default-src 'self'");
    
    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        return csp.filterChain(http);
    }
}

Or use the builder:

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.web.SecurityFilterChain;

import com.joehxblog.spring.csp.ContentSecurityPolicy;
import com.joehxblog.spring.csp.directive.FetchDirective;
import com.joehxblog.spring.csp.value.KeywordValue;

@Configuration
public class Config {
    private ContentSecurityPolicy csp = ContentSecurityPolicy.build()
            .add(FetchDirective.DEFAULT_SRC, KeywordValue.SELF)
            .build();
    
    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        return csp.filterChain(http);
    }
}

Enjoy!

Leave a Reply

Note that comments won't appear until approved.