include::../description.adoc[]

include::../ask-yourself.adoc[]

include::../recommended.adoc[]

== Sensitive Code Example

In a Spring security application, the code is sensitive if https://docs.spring.io/spring-security/site/docs/4.2.x/reference/html/headers.html#headers-csp-configure[contentSecurityPolicy method] is not used or used without the default directive:
----
http
// ...
  .and()
  .headers()
  .contentSecurityPolicy("script-src 'self' https://example.com"); // Sensitive: default-src directive is missing
----

== Compliant Solution

In a Spring security application, starting version 4.1, a standard way to implement CSP is with https://docs.spring.io/spring-security/site/docs/4.2.x/reference/html/headers.html#headers-csp-configure[contentSecurityPolicy method]:
----
http
// ...
  .and()
  .headers()
  .contentSecurityPolicy("default-src 'self' https://example.com"); // Compliant
----

include::../see.adoc[]