您应在哪里配置内容安全策略? [英] Where should you configure Content Security Policy?

问题描述

我有一个角度应用程序，可以根据设置与Tomcat上的REST API或Jetty上的REST API进行通信. angular-app本身与战争托管在同一tomcat/jetty上.

I have an angular application, that communicates with, depending on the setup, a REST API on Tomcat or a REST API on a Jetty. The angular-app itself is hosted on the same tomcat/jetty as a war.

Tomcat设置可能在前面有一个Apache(取决于客户端)

The Tomcat setup might have an Apache in front (depending on the client)

该应用程序需要使用base64图像(通过css加载的槽)，但是现在，如果它托管在服务器上，则会出现以下错误:

The application needs to use base64 images (loaded trough css), but right now, if it's hosted on a server I get the following error:

Refused to load the image 'data:image/png;base64,...' because it violates the following Content Security Policy directive: "default-src https:". Note that 'img-src' was not explicitly set, so 'default-src' is used as a fallback.

所以我做了什么: 在index.html中，我已设置:

So what I've done: In index.html, I've set:

<meta http-equiv="Content-Security-Policy"
      content="default-src https: http:; script-src 'self' 'unsafe-inline' 'unsafe-eval' https: http:; style-src http: https: 'unsafe-inline'; img-src 'self' data: https:; connect-src http: https: ws:;">

在手动弹簧过滤器中，我设置了:

In a manual Spring filter, I've set:

httpServletResponse.setHeader("Content-Security-Policy",
                                  "default-src https: http:; script-src 'self' 'unsafe-inline' 'unsafe-eval' https: http:; style-src http: https: 'unsafe-inline'; img-src 'self' data: https:; connect-src http: https: ws:;");

但是，这当然没有效果，因为我没有为html/js/css调用API.

But of course, this has no effect, because I'm not calling the API for the html/js/css.

据我了解，这并不是要在Tomcat上进行配置. 您通常在哪里配置内容安全策略/Content-Security-Policy标头?

As I understand, this is not meant to be configured on Tomcat. Where do you normally configure Content Security Policy / Content-Security-Policy headers?

我需要一种不需要在将要安装文件的服务器上进行手动配置的解决方案.

I need a solution that does not need manual configuration on the server where the files will be installed.

提前谢谢！

推荐答案

Spring Security允​​许用户轻松注入安全标头，以帮助保护其应用程序.这是春季有关内容安全策略的安全参考文档.请务必注意，Spring Security默认情况下不会添加内容安全策略. Web应用程序作者必须声明安全策略以强制执行和/或监视受保护的资源.您可以使用Java配置启用CSP标头，如下所示:

Spring Security allows users to easily inject security headers to assist in protecting their application. Here is the Spring Security Reference Document for content security policy. It’s important to note that Spring Security does not add Content Security Policy by default. The web application author must declare the security policy(s) to enforce and/or monitor for the protected resources. You can enable the CSP header using Java configuration as shown below:

@EnableWebSecurity
public class WebSecurityConfig extends
WebSecurityConfigurerAdapter {

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
    // ...
    .headers()
        .contentSecurityPolicy("script-src 'self' https://trustedscripts.example.com; object-src https://trustedplugins.example.com; report-uri /csp-report-endpoint/");
}
}

这篇关于您应在哪里配置内容安全策略?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！