42 lines
1.1 KiB
Plaintext
42 lines
1.1 KiB
Plaintext
include::../description.adoc[]
|
|
|
|
include::../ask-yourself.adoc[]
|
|
|
|
include::../recommended.adoc[]
|
|
|
|
== Sensitive Code Example
|
|
|
|
In a Spring security application, the code is sensitive if https://docs.spring.io/spring-security/site/docs/4.2.x/reference/html/headers.html#headers-csp-configure[contentSecurityPolicy method] is not used or used without the default directive:
|
|
|
|
----
|
|
http
|
|
// ...
|
|
.and()
|
|
.headers()
|
|
.contentSecurityPolicy("script-src 'self' https://example.com"); // Sensitive: default-src directive is missing
|
|
----
|
|
|
|
== Compliant Solution
|
|
|
|
In a Spring security application, starting version 4.1, a standard way to implement CSP is with https://docs.spring.io/spring-security/site/docs/4.2.x/reference/html/headers.html#headers-csp-configure[contentSecurityPolicy method]:
|
|
|
|
[source,java]
|
|
----
|
|
http
|
|
// ...
|
|
.and()
|
|
.headers()
|
|
.contentSecurityPolicy("default-src 'self' https://example.com"); // Compliant
|
|
----
|
|
|
|
include::../see.adoc[]
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
include::../message.adoc[]
|
|
|
|
endif::env-github,rspecator-view[]
|