java 您应该在哪里配置内容安全策略?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/42444106/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Where should you configure Content Security Policy?
提问by Thomas Stubbe
I have an angular application, that communicates with, depending on the setup, a REST API on Tomcat or a REST API on a Jetty. The angular-app itself is hosted on the same tomcat/jetty as a war.
我有一个角度应用程序,它根据设置与 Tomcat 上的 REST API 或 Jetty 上的 REST API 进行通信。angular-app 本身与 war 托管在同一个 tomcat/jetty 上。
The Tomcat setup might have an Apache in front (depending on the client)
Tomcat 设置前面可能有一个 Apache(取决于客户端)
The application needs to use base64 images (loaded trough css), but right now, if it's hosted on a server I get the following error:
该应用程序需要使用 base64 图像(通过 css 加载),但现在,如果它托管在服务器上,我会收到以下错误:
Refused to load the image 'data:image/png;base64,...' because it violates the following Content Security Policy directive: "default-src https:". Note that 'img-src' was not explicitly set, so 'default-src' is used as a fallback.
So what I've done: In index.html, I've set:
所以我做了什么:在 index.html 中,我设置了:
<meta http-equiv="Content-Security-Policy"
content="default-src https: http:; script-src 'self' 'unsafe-inline' 'unsafe-eval' https: http:; style-src http: https: 'unsafe-inline'; img-src 'self' data: https:; connect-src http: https: ws:;">
In a manual Spring filter, I've set:
在手动 Spring 过滤器中,我设置了:
httpServletResponse.setHeader("Content-Security-Policy",
"default-src https: http:; script-src 'self' 'unsafe-inline' 'unsafe-eval' https: http:; style-src http: https: 'unsafe-inline'; img-src 'self' data: https:; connect-src http: https: ws:;");
But of course, this has no effect, because I'm not calling the API for the html/js/css.
但是当然,这没有任何效果,因为我没有调用 html/js/css 的 API。
As I understand, this is not meant to be configured on Tomcat. Where do you normally configure Content Security Policy / Content-Security-Policy headers?
据我了解,这并不意味着要在 Tomcat 上进行配置。您通常在哪里配置 Content Security Policy / Content-Security-Policy 标头?
I need a solution that does not need manual configuration on the server where the files will be installed.
我需要一个不需要在将安装文件的服务器上手动配置的解决方案。
Thanks in advance!
提前致谢!
回答by Monzurul Haque Shimul
Spring Security allows users to easily inject security headers to assist in protecting their application. Here is the Spring Security Reference Documentfor content security policy. It's important to note that Spring Security does not add Content Security Policy by default. The web application author must declare the security policy(s) to enforce and/or monitor for the protected resources. You can enable the CSP header using Java configuration as shown below:
Spring Security 允许用户轻松注入安全标头以帮助保护他们的应用程序。这是内容安全策略的Spring Security 参考文档。需要注意的是,Spring Security 默认不添加内容安全策略。Web 应用程序作者必须声明要强制执行和/或监视受保护资源的安全策略。您可以使用 Java 配置启用 CSP 标头,如下所示:
@EnableWebSecurity
public class WebSecurityConfig extends
WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
// ...
.headers()
.contentSecurityPolicy("script-src 'self' https://trustedscripts.example.com; object-src https://trustedplugins.example.com; report-uri /csp-report-endpoint/");
}
}
