30 lines
932 B
Plaintext
30 lines
932 B
Plaintext
|
include::../description.adoc[]
|
||
|
|
|
||
|
|
include::../ask-yourself.adoc[]
|
||
|
|
|
||
|
|
include::../recommended.adoc[]
|
||
|
|
|
||
|
|
== Sensitive Code Example
|
||
|
|
|
||
|
|
In a Spring security application, the code is sensitive if https://docs.spring.io/spring-security/site/docs/4.2.x/reference/html/headers.html#headers-csp-configure[contentSecurityPolicy method] is not used or used without the default directive:
|
||
|
|
----
|
||
|
|
http
|
||
|
|
// ...
|
||
|
|
.and()
|
||
|
|
.headers()
|
||
|
|
.contentSecurityPolicy("script-src 'self' https://example.com"); // Sensitive: default-src directive is missing
|
||
|
|
----
|
||
|
|
|
||
|
|
== Compliant Solution
|
||
|
|
|
||
|
|
In a Spring security application, starting version 4.1, a standard way to implement CSP is with https://docs.spring.io/spring-security/site/docs/4.2.x/reference/html/headers.html#headers-csp-configure[contentSecurityPolicy method]:
|
||
|
|
----
|
||
|
|
http
|
||
|
|
// ...
|
||
|
|
.and()
|
||
|
|
.headers()
|
||
|
|
.contentSecurityPolicy("default-src 'self' https://example.com"); // Compliant
|
||
|
|
----
|
||
|
|
|
||
|
|
include::../see.adoc[]
|