Package org.apache.wicket.csp
Class CSPHeaderConfiguration
- java.lang.Object
-
- org.apache.wicket.csp.CSPHeaderConfiguration
-
public class CSPHeaderConfiguration extends Object
CSPHeaderConfiguration
contains the configuration for a Content-Security-Policy header. This configuration is constructed using the availableCSPDirective
s. An number of default profiles is provided. These profiles can be used as a basis for a specific CSP. Extra directives can be added or existing directives modified.- Author:
- papegaaij
- See Also:
- https://www.w3.org/TR/CSP2, https://developer.mozilla.org/en-US/docs/Web/Security/CSP
-
-
Field Summary
Fields Modifier and Type Field Description static String
CSP_VIOLATION_REPORTING_URI
-
Constructor Summary
Constructors Constructor Description CSPHeaderConfiguration()
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description CSPHeaderConfiguration
add(CSPDirective directive, String... values)
Adds a free-form value to a directive for the CSP header.CSPHeaderConfiguration
add(CSPDirective directive, CSPRenderable... values)
Adds the given values to the CSP directive on this configuraiton.CSPHeaderConfiguration
clear()
Removes all CSP directives from the configuration.CSPHeaderConfiguration
disabled()
Removes all directives from the CSP, returning an empty configuration.Map<CSPDirective,List<CSPRenderable>>
getDirectives()
Returns an unmodifiable map of the directives set for this header.boolean
isAddLegacyHeaders()
True when legacy headers should be added.boolean
isNonceEnabled()
True when theCSPDirectiveSrcValue.NONCE
is used in one of the directives.boolean
isSet()
CSPHeaderConfiguration
remove(CSPDirective directive)
Removes the given directive from the configuration.String
renderHeaderValue(ContentSecurityPolicySettings settings, RequestCycle cycle)
Renders thisCSPHeaderConfiguration
into an HTTP header.CSPHeaderConfiguration
reportBack()
Configures the CSP to report violations back at the application.CSPHeaderConfiguration
reportBackAt(String mountPath)
Configures the CSP to report violations at the specified relative URI.CSPHeaderConfiguration
setAddLegacyHeaders(boolean addLegacyHeaders)
Enable legacyX-Content-Security-Policy
headers for older browsers, such as IE.CSPHeaderConfiguration
strict()
Builds a strict, very secure CSP configuration with the following directives:default-src 'none';
script-src 'strict-dynamic' 'nonce-XYZ';
style-src 'nonce-XYZ';
img-src 'self';
connect-src 'self';
font-src 'self';
manifest-src 'self';
child-src 'self';
frame-src 'self'
base-uri 'self'
.CSPHeaderConfiguration
unsafeInline()
Builds a CSP configuration with the following directives:default-src 'none';
script-src 'self' 'unsafe-inline' 'unsafe-eval';
style-src 'self' 'unsafe-inline';
img-src 'self';
connect-src 'self';
font-src 'self';
manifest-src 'self';
child-src 'self';
frame-src 'self'
base-uri 'self'
.
-
-
-
Field Detail
-
CSP_VIOLATION_REPORTING_URI
public static final String CSP_VIOLATION_REPORTING_URI
- See Also:
- Constant Field Values
-
-
Constructor Detail
-
CSPHeaderConfiguration
public CSPHeaderConfiguration()
-
-
Method Detail
-
disabled
public CSPHeaderConfiguration disabled()
Removes all directives from the CSP, returning an empty configuration.- Returns:
this
for chaining.
-
unsafeInline
public CSPHeaderConfiguration unsafeInline()
Builds a CSP configuration with the following directives:default-src 'none';
script-src 'self' 'unsafe-inline' 'unsafe-eval';
style-src 'self' 'unsafe-inline';
img-src 'self';
connect-src 'self';
font-src 'self';
manifest-src 'self';
child-src 'self';
frame-src 'self'
base-uri 'self'
. This will allow resources to be loaded from'self'
(the current host). In addition, unsafe inline Javascript,eval()
and inline CSS is allowed. It is recommended to not allowunsafe-inline
orunsafe-eval
, because those can be used to trigger XSS attacks in your application (often in combination with another bug). Because older application often rely on inline scripting and styling, this CSP can be used as a stepping stone for older Wicket applications, before switching tostrict()
. Using a CSP with unsafe directives is still more secure than using no CSP at all.- Returns:
this
for chaining.
-
strict
public CSPHeaderConfiguration strict()
Builds a strict, very secure CSP configuration with the following directives:default-src 'none';
script-src 'strict-dynamic' 'nonce-XYZ';
style-src 'nonce-XYZ';
img-src 'self';
connect-src 'self';
font-src 'self';
manifest-src 'self';
child-src 'self';
frame-src 'self'
base-uri 'self'
. This will allow most resources to be loaded from'self'
(the current host). Scripts and styles are only allowed when rendered with the correct nonce. Wicket will automatically add the nonces to thescript
andlink
(CSS) elements and to the headers.- Returns:
this
for chaining.
-
reportBack
public CSPHeaderConfiguration reportBack()
Configures the CSP to report violations back at the application. WARNING: CSP reporting can generate a lot of traffic. A single page load can trigger multiple violations and flood your logs or even DDoS your server. In addition, it is an open endpoint for your application and can be used by an attacker to flood your application logs. Do not enable this feature on a production application unless you take the needed precautions to prevent this.- Returns:
this
for chaining- See Also:
- https://scotthelme.co.uk/just-how-much-traffic-can-you-generate-using-csp
-
reportBackAt
public CSPHeaderConfiguration reportBackAt(String mountPath)
Configures the CSP to report violations at the specified relative URI. WARNING: CSP reporting can generate a lot of traffic. A single page load can trigger multiple violations and flood your logs or even DDoS your server. In addition, it is an open endpoint for your application and can be used by an attacker to flood your application logs. Do not enable this feature on a production application unless you take the needed precautions to prevent this.- Parameters:
mountPath
- The path to report the violations at.- Returns:
this
for chaining- See Also:
- https://scotthelme.co.uk/just-how-much-traffic-can-you-generate-using-csp
-
isNonceEnabled
public boolean isNonceEnabled()
True when theCSPDirectiveSrcValue.NONCE
is used in one of the directives.- Returns:
- When any of the directives contains a nonce.
-
isAddLegacyHeaders
public boolean isAddLegacyHeaders()
True when legacy headers should be added.- Returns:
- True when legacy headers should be added.
-
setAddLegacyHeaders
public CSPHeaderConfiguration setAddLegacyHeaders(boolean addLegacyHeaders)
Enable legacyX-Content-Security-Policy
headers for older browsers, such as IE.- Parameters:
addLegacyHeaders
- True when the legacy headers should be added.- Returns:
this
for chaining
-
remove
public CSPHeaderConfiguration remove(CSPDirective directive)
Removes the given directive from the configuration.- Parameters:
directive
- The directive to remove.- Returns:
this
for chaining
-
add
public CSPHeaderConfiguration add(CSPDirective directive, CSPRenderable... values)
Adds the given values to the CSP directive on this configuraiton.- Parameters:
directive
- The directive to add the values to.values
- The values to add.- Returns:
this
for chaining
-
add
public CSPHeaderConfiguration add(CSPDirective directive, String... values)
Adds a free-form value to a directive for the CSP header. This is primarily meant to used for URIs.- Parameters:
directive
- The directive to add the values to.values
- The values to add.- Returns:
this
for chaining
-
getDirectives
public Map<CSPDirective,List<CSPRenderable>> getDirectives()
Returns an unmodifiable map of the directives set for this header.- Returns:
- The directives set for this header.
-
isSet
public boolean isSet()
- Returns:
- true if this
CSPHeaderConfiguration
has any directives configured.
-
clear
public CSPHeaderConfiguration clear()
Removes all CSP directives from the configuration.- Returns:
this
for chaining.
-
renderHeaderValue
public String renderHeaderValue(ContentSecurityPolicySettings settings, RequestCycle cycle)
Renders thisCSPHeaderConfiguration
into an HTTP header. The returned String will be in the form"key1 value1a value1b; key2 value2a; key3 value3a value3b value3c"
.- Parameters:
settings
- TheContentSecurityPolicySettings
that renders the header.cycle
- The currentRequestCycle
.- Returns:
- the rendered header.
-
-