include::../description.adoc[]

include::../ask-yourself.adoc[]

include::../recommended.adoc[]

== Sensitive Code Example

In a Spring security application, the code is sensitive if https://docs.spring.io/spring-security/site/docs/4.2.x/reference/html/headers.html#headers-csp-configure[contentSecurityPolicy method] is not used or used without the default directive:

----
http
// ...
  .and()
  .headers()
  .contentSecurityPolicy("script-src 'self' https://example.com"); // Sensitive: default-src directive is missing
----

== Compliant Solution

In a Spring security application, starting version 4.1, a standard way to implement CSP is with https://docs.spring.io/spring-security/site/docs/4.2.x/reference/html/headers.html#headers-csp-configure[contentSecurityPolicy method]:

[source,java]
----
http
// ...
  .and()
  .headers()
  .contentSecurityPolicy("default-src 'self' https://example.com"); // Compliant
----

include::../see.adoc[]

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

include::../message.adoc[]

endif::env-github,rspecator-view[]