stackoom
  简体   繁体   中英

content security policy for navigation links

 原文  2022-11-29 10:07:32       angular/ spring-boot/ xss/ content-security-policy

Question

In my project, I have backend (spring boot) and frontend (angular). The cybersecurity team wants CSP header in response-headers on every page.

I have provided them CSP header on all my endpoints authenticated or unauthenticated, but they also want it on navigation links which renders only from frontend like '/login'.

So, I have provided them CSP as meta-tag by adding it in index.html. Still, they want it as a response header.

Now, my questions

1: how important it is to have CSP on pages which do not load on the basis of backend interaction?

2: what are the best ways to achieve this?

3: and because our cybersecurity team is adamant, how can I add CSP on response header on these kinds of pages?

1 answers

solution1
 1 ACCPTED  2022-11-29 14:41:28

Addressing your questions in order:

  1. It is still possible to find an XXS in a page that does not communicate with the backend. For example if the attacker can execute arbitrary JavaScript on your login page, they can in theory use this to steal your users passwords. CSP can mitigate these attacks and should therefore be used here.

  2. Do you mean CSP meta-tag vs header? If this is the case I would prefer them to be in the header. If an attacker somehow can upload a HTML document and it gets served, they could in theory get around the CSP.

  3. This depends on your webserver. If you are using Spring Boot to serve the frontend files you can enable it with spring security as described in the docs :

@Configuration
@EnableWebSecurity
public class WebSecurityConfig {

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http
            // ...
            .headers(headers -> headers
                .contentSecurityPolicy(csp -> csp
                    .policyDirectives("script-src 'self' https://trustedscripts.example.com; object-src https://trustedplugins.example.com; report-uri /csp-report-endpoint/")
                )
            );
        return http.build();
    }
}

Other webservers have other configuration for this, popular ones are apache or nginx. From my experience there is typically a webserver other than spring boot that serves the frontend files. If you only serve a JSON REST-API over spring boot, it is actually not necessary to set the CSP in spring boot.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Content Security Policy directive Content Security Policy with Angular >= 8 Issue with content security policy header how to disable Content security policy using javascript Whitelisting domains in Content Security Policy for Angular Content Security Policy (CSP) not implemented in Angular Content Security Policy directive: Refused to load the font Content Security Policy violation in CORS environment Content Security Policy blocks Angular Styles chrome extension Content Security Policy1
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM