Package org.apache.wicket.csp
Class ContentSecurityPolicySettings
- java.lang.Object
-
- org.apache.wicket.csp.ContentSecurityPolicySettings
-
public class ContentSecurityPolicySettings extends Object
Build the CSP configuration like this:myApplication.getCspSettings().blocking().clear() .add(CSPDirective.DEFAULT_SRC, CSPDirectiveSrcValue.NONE) .add(CSPDirective.SCRIPT_SRC, CSPDirectiveSrcValue.SELF) .add(CSPDirective.IMG_SRC, CSPDirectiveSrcValue.SELF) .add(CSPDirective.FONT_SRC, CSPDirectiveSrcValue.SELF)); myApplication.getCspSettings().reporting().strict();
CSPHeaderConfiguration
for more details on specifying the configuration.- Author:
- Sven Haster, Emond Papegaaij
- See Also:
- https://www.w3.org/TR/CSP2, https://developer.mozilla.org/en-US/docs/Web/Security/CSP
-
-
Field Summary
Fields Modifier and Type Field Description static MetaDataKey<String>
NONCE_KEY
-
Constructor Summary
Constructors Constructor Description ContentSecurityPolicySettings(Application application)
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description CSPHeaderConfiguration
blocking()
protected String
createNonce()
Create a new nonce.void
enforce(WebApplication application)
Enforce CSP settings on an application.Map<CSPHeaderMode,CSPHeaderConfiguration>
getConfiguration()
Returns the CSP configuration perCSPHeaderMode
.String
getNonce(RequestCycle cycle)
boolean
isEnabled()
Is CSP enabled.boolean
isNonceEnabled()
Returns true if any of the headers includes a directive with a nonce.protected boolean
mustProtectRequest(IRequestHandler handler)
Should any request be protected by CSP.CSPHeaderConfiguration
reporting()
ContentSecurityPolicySettings
setNonceCreator(Supplier<String> nonceCreator)
Sets the creator of nonces.ContentSecurityPolicySettings
setProtectedFilter(Predicate<IRequestHandler> protectedFilter)
Sets the predicate that determines which requests must be protected by the CSP.
-
-
-
Field Detail
-
NONCE_KEY
public static final MetaDataKey<String> NONCE_KEY
-
-
Constructor Detail
-
ContentSecurityPolicySettings
public ContentSecurityPolicySettings(Application application)
-
-
Method Detail
-
blocking
public CSPHeaderConfiguration blocking()
-
reporting
public CSPHeaderConfiguration reporting()
-
setNonceCreator
public ContentSecurityPolicySettings setNonceCreator(Supplier<String> nonceCreator)
Sets the creator of nonces.- Parameters:
nonceCreator
- The new creator, must not be null.- Returns:
this
for chaining.
-
setProtectedFilter
public ContentSecurityPolicySettings setProtectedFilter(Predicate<IRequestHandler> protectedFilter)
Sets the predicate that determines which requests must be protected by the CSP. When the predicate evaluates to false, the request will not be protected.- Parameters:
protectedFilter
- The new filter, must not be null.- Returns:
this
for chaining.
-
mustProtectRequest
protected boolean mustProtectRequest(IRequestHandler handler)
Should any request be protected by CSP.- Parameters:
handler
-- Returns:
true
by default for allRenderPageRequestHandler
s- See Also:
setProtectedFilter(Predicate)
-
isNonceEnabled
public final boolean isNonceEnabled()
Returns true if any of the headers includes a directive with a nonce.- Returns:
- If a nonce is used in the CSP.
-
getNonce
public String getNonce(RequestCycle cycle)
-
createNonce
protected String createNonce()
Create a new nonce.- Returns:
- nonce
- See Also:
setNonceCreator(Supplier)
-
getConfiguration
public Map<CSPHeaderMode,CSPHeaderConfiguration> getConfiguration()
Returns the CSP configuration perCSPHeaderMode
.- Returns:
- the CSP configuration per
CSPHeaderMode
.
-
enforce
public void enforce(WebApplication application)
Enforce CSP settings on an application.- Parameters:
application
- application
-
isEnabled
public boolean isEnabled()
Is CSP enabled.
-
-