内容安全策略春季安全 [英] Content-Security-Policy Spring Security

问题描述

假设有一个关于弹簧安全性和spring mvc的可行的世界示例.

assuming a working hello world example of spring security and spring mvc.

当我用wireshark跟踪时，我在http请求上看到以下标志

when i take a trace with wireshark i see the following flags on the http request

X-Content-Type-Options: nosniff 
X-XSS-Protection: 1; mode=block 
Cache-Control: no-cache, no-store, max-age=0, must-revalidate 
Pragma: no-cache 
Expires: 0 
Strict-Transport-Security: max-age=31536000 ; includeSubDomains 
X-Frame-Options: DENY 
Set-Cookie: JSESSIONID=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX; Path=/; Secure; HttpOnly 

我想将此添加到我的标题中

i would like to add this to my headers:

Content-Security-Policy: script-src 'self'

我知道X-Frame-Options几乎可以完成相同的工作，但是仍然可以使我睡得更好.现在我想我需要在我的spring安全配置的配置功能下执行此操作，但是我不知道具体如何，即我想.headers().something.something(self)

I know that the X-Frame-Options is doing almost the same job, but still it makes me sleep better. Now i guess that i would need to do it under the configure function of my spring security configuration however i do not know how exactly, i.e. i suppose .headers().something.something(self)

 @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
//          .csrf().disable()
//          .headers().disable()
            .authorizeRequests()
                .antMatchers(   "/register",
                                "/static/**",
                                "/h2/**",
                                "/resources/**",
                            "/resources/static/css/**", 
                                "/resources/static/img/**" , 
                                "/resources/static/js/**", 
                                "/resources/static/pdf/**"                              
                                ).permitAll()
                .anyRequest().authenticated()
                .and()
            .formLogin()
                .loginPage("/login")
                .permitAll()
                .and()
            .logout()
                .permitAll();
    }

推荐答案

只需使用addHeaderWriter方法，如下所示:

Simply use the addHeaderWriter method like this:

@EnableWebSecurity
@Configuration
public class WebSecurityConfig extends
   WebSecurityConfigurerAdapter {

  @Override
  protected void configure(HttpSecurity http) throws Exception {
    http
      // ...
      .headers()
        .addHeaderWriter(new StaticHeadersWriter("X-Content-Security-Policy","script-src 'self'"))
      // ...
  }
}

请注意，一旦您指定了应包含的所有标头，则仅包含那些标头.

Note that as soon as you specify any headers that should be included, then only those headers will be include.

要包括默认标题，您可以执行以下操作:

To include the default headers you can do:

http
  .headers()
    .contentTypeOptions()
    .xssProtection()
    .cacheControl()
    .httpStrictTransportSecurity()
    .frameOptions()
    .addHeaderWriter(new StaticHeadersWriter("X-Content-Security-Policy","script-src 'self'"))
    // ...

您可以参考春季安全性文档

这篇关于内容安全策略春季安全的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！