内容安全策略 Spring Security
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/24057040/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Content-Security-Policy Spring Security
提问by Tito
assuming a working hello world example of spring security and spring mvc.
假设有一个 Spring Security 和 spring mvc 的工作 hello world 示例。
when i take a trace with wireshark i see the following flags on the http request
当我使用wireshark进行跟踪时,我在http请求中看到以下标志
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
Strict-Transport-Security: max-age=31536000 ; includeSubDomains
X-Frame-Options: DENY
Set-Cookie: JSESSIONID=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX; Path=/; Secure; HttpOnly
i would like to add this to my headers:
我想将此添加到我的标题中:
Content-Security-Policy: script-src 'self'
I know that the X-Frame-Options is doing almost the same job, but still it makes me sleep better. Now i guess that i would need to do it under the configure function of my spring security configuration however i do not know how exactly, i.e. i suppose .headers().something.something(self)
我知道 X-Frame-Options 的作用几乎相同,但它仍然让我睡得更好。现在我想我需要在我的 spring 安全配置的配置功能下进行,但是我不知道具体如何,即我想 .headers().something.something(self)
@Override
protected void configure(HttpSecurity http) throws Exception {
http
// .csrf().disable()
// .headers().disable()
.authorizeRequests()
.antMatchers( "/register",
"/static/**",
"/h2/**",
"/resources/**",
"/resources/static/css/**",
"/resources/static/img/**" ,
"/resources/static/js/**",
"/resources/static/pdf/**"
).permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.permitAll()
.and()
.logout()
.permitAll();
}
回答by Christopher Pelloux
Simply use the addHeaderWriter method like this:
只需像这样使用 addHeaderWriter 方法:
@EnableWebSecurity
@Configuration
public class WebSecurityConfig extends
WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
// ...
.headers()
.addHeaderWriter(new StaticHeadersWriter("X-Content-Security-Policy","script-src 'self'"))
// ...
}
}
Note that as soon as you specify any headers that should be included, then only those headers will be include.
请注意,一旦您指定应包含的任何标题,则只会包含这些标题。
To include the default headers you can do:
要包含默认标题,您可以执行以下操作:
http
.headers()
.contentTypeOptions()
.xssProtection()
.cacheControl()
.httpStrictTransportSecurity()
.frameOptions()
.addHeaderWriter(new StaticHeadersWriter("X-Content-Security-Policy","script-src 'self'"))
// ...
You can refer to the spring security documentation.
可以参考spring security文档。
回答by Slava Semushin
While the approach with StaticHeadersWriterworks, in the newest versions of Spring Security it's possible to use a special method:
虽然这种方法StaticHeadersWriter有效,但在最新版本的 Spring Security 中,可以使用一种特殊方法:
headers()
.contentSecurityPolicy("script-src 'self'");
See documentation for details: https://docs.spring.io/spring-security/site/docs/4.2.x/reference/html/headers.html#headers-csp-configure
有关详细信息,请参阅文档:https: //docs.spring.io/spring-security/site/docs/4.2.x/reference/html/headers.html#headers-csp-configure
回答by tomcyjohn
As documented in Spring security documentation: https://docs.spring.io/spring-security/site/docs/current/reference/html/headers.html
如 Spring 安全文档中所述:https: //docs.spring.io/spring-security/site/docs/current/reference/html/headers.html
@EnableWebSecurity
public class WebSecurityConfig extends
WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
// ...
.headers()
.contentSecurityPolicy("script-src 'self' https://trustedscripts.example.com; object-src https://trustedplugins.example.com; report-uri /csp-report-endpoint/")
.reportOnly();
}
}
