内容安全策略春季安全 [英] Content-Security-Policy Spring Security
问题描述
假设有一个关于弹簧安全性和spring mvc的可行的世界示例.
assuming a working hello world example of spring security and spring mvc.
当我用wireshark跟踪时,我在http请求上看到以下标志
when i take a trace with wireshark i see the following flags on the http request
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
Strict-Transport-Security: max-age=31536000 ; includeSubDomains
X-Frame-Options: DENY
Set-Cookie: JSESSIONID=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX; Path=/; Secure; HttpOnly
我想将此添加到我的标题中
i would like to add this to my headers:
Content-Security-Policy: script-src 'self'
我知道X-Frame-Options几乎可以完成相同的工作,但是仍然可以使我睡得更好.现在我想我需要在我的spring安全配置的配置功能下执行此操作,但是我不知道具体如何,即我想.headers().something.something(self)
I know that the X-Frame-Options is doing almost the same job, but still it makes me sleep better. Now i guess that i would need to do it under the configure function of my spring security configuration however i do not know how exactly, i.e. i suppose .headers().something.something(self)
@Override
protected void configure(HttpSecurity http) throws Exception {
http
// .csrf().disable()
// .headers().disable()
.authorizeRequests()
.antMatchers( "/register",
"/static/**",
"/h2/**",
"/resources/**",
"/resources/static/css/**",
"/resources/static/img/**" ,
"/resources/static/js/**",
"/resources/static/pdf/**"
).permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.permitAll()
.and()
.logout()
.permitAll();
}
推荐答案
只需使用addHeaderWriter方法,如下所示:
Simply use the addHeaderWriter method like this:
@EnableWebSecurity
@Configuration
public class WebSecurityConfig extends
WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
// ...
.headers()
.addHeaderWriter(new StaticHeadersWriter("X-Content-Security-Policy","script-src 'self'"))
// ...
}
}
请注意,一旦您指定了应包含的所有标头,则仅包含那些标头.
Note that as soon as you specify any headers that should be included, then only those headers will be include.
要包括默认标题,您可以执行以下操作:
To include the default headers you can do:
http
.headers()
.contentTypeOptions()
.xssProtection()
.cacheControl()
.httpStrictTransportSecurity()
.frameOptions()
.addHeaderWriter(new StaticHeadersWriter("X-Content-Security-Policy","script-src 'self'"))
// ...
您可以参考春季安全性文档
这篇关于内容安全策略春季安全的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!