CODEWITHSUNDEEP
securitytomcatcontent-security-policyclickjacking
vsp
vsp

Reputation: 101

configuring Content-Security-Policy in tomcat

I read about configuring/implementing Content-Security-Policy header and I came accross 2 ways of doing it:

  1. using custom filter that implements Filter as given in this link
  2. using meta tag

Please note that this question is not duplicate of this, Iam looking for a solution better than given in this link

I see the drawbacks in (1) is its driven through code, not through a configuration file , drawbacks in option (2) is if I have say 100 html files, I need to put this tag in every HTML? (correct me if I'm wrong) The solution I'm looking for is something I can configure in web.xml and becomes applicable for all the html files. Something the way we do in case of configuring X-Frame-Options in web.xml like given here, don't we have similar way of configuring Content-Security-Policy in web.xml ?

Upvotes: 10

Views: 57161

Answers (2)

RICHARD ABRAHAM
RICHARD ABRAHAM

Reputation: 2528

Configure content-security-policy in web.xml

You can use the recommendation provided by OWASP here. It is a web filter that you can implement in your backend.

The below filter has to be then defined in your web.xml file. This gets called on every request in your application. In java you may do that by creating an appropriate class.

    <filter>
        <filter-name>ContentSecurityPolicy</filter-name>
        <filter-class>YourPackagePath.ContentSecurityPolicyFilter</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>ContentSecurityPolicy</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

The above will implement the below values for content-security-policy in your HTTP Header

default-src 'none'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self'; frame-src 'self'; connect-src 'self'; form-action 'self'; reflected-xss block

Upvotes: 9

oreoshake
oreoshake

Reputation: 4898

Have you tried using https://github.com/sourceclear/headlines (dead link, this is all I could find: https://github.com/stevespringett/headlines) ? It's goal is to make security-related headers a matter of configuration instead of code like you ask.

{
  "XContentTypeConfig": {
    "enabled": true
  },

  "XFrameOptionsConfig": {
    "enabled": true,
    "value":"DENY"
  },

  "XssProtectionConfig": {
    "enabled": true
  },

  "HstsConfig": {
    "enabled": true,
    "includeSubdomains":true,
    "maxAge":31536000
  },

  "CspConfig": {
    "csp": {
      "default-src":["'self'"]
    },
    "cspReportOnly":{}
  },

  ... snip
}

Upvotes: 3

Related Questions