Package org.apache.wicket.csp
Class CSPHeaderConfiguration
java.lang.Object
org.apache.wicket.csp.CSPHeaderConfiguration
CSPHeaderConfiguration
contains the configuration for a Content-Security-Policy header.
This configuration is constructed using the available CSPDirective
s. An number of default
profiles is provided. These profiles can be used as a basis for a specific CSP. Extra directives
can be added or existing directives modified.- Author:
- papegaaij
- See Also:
-
Field Summary
-
Constructor Summary
-
Method Summary
Modifier and TypeMethodDescriptionadd
(CSPDirective directive, String... values) Adds a free-form value to a directive for the CSP header.add
(CSPDirective directive, CSPRenderable... values) Adds the given values to the CSP directive on this configuraiton.clear()
Removes all CSP directives from the configuration.disabled()
Removes all directives from the CSP, returning an empty configuration.Returns an unmodifiable map of the directives set for this header.boolean
True when legacy headers should be added.boolean
True when theCSPDirectiveSrcValue.NONCE
is used in one of the directives.boolean
isSet()
remove
(CSPDirective directive) Removes the given directive from the configuration.renderHeaderValue
(ContentSecurityPolicySettings settings, RequestCycle cycle) Renders thisCSPHeaderConfiguration
into an HTTP header.Configures the CSP to report violations back at the application.reportBackAt
(String mountPath) Configures the CSP to report violations at the specified relative URI.setAddLegacyHeaders
(boolean addLegacyHeaders) Enable legacyX-Content-Security-Policy
headers for older browsers, such as IE.strict()
Builds a strict, very secure CSP configuration with the following directives:default-src 'none';
script-src 'strict-dynamic' 'nonce-XYZ';
style-src 'nonce-XYZ';
img-src 'self';
connect-src 'self';
font-src 'self';
manifest-src 'self';
child-src 'self';
frame-src 'self'
base-uri 'self'
.Builds a CSP configuration with the following directives:default-src 'none';
script-src 'self' 'unsafe-inline' 'unsafe-eval';
style-src 'self' 'unsafe-inline';
img-src 'self';
connect-src 'self';
font-src 'self';
manifest-src 'self';
child-src 'self';
frame-src 'self'
base-uri 'self'
.
-
Field Details
-
CSP_VIOLATION_REPORTING_URI
- See Also:
-
-
Constructor Details
-
CSPHeaderConfiguration
public CSPHeaderConfiguration()
-
-
Method Details
-
disabled
Removes all directives from the CSP, returning an empty configuration.- Returns:
this
for chaining.
-
unsafeInline
Builds a CSP configuration with the following directives:default-src 'none';
script-src 'self' 'unsafe-inline' 'unsafe-eval';
style-src 'self' 'unsafe-inline';
img-src 'self';
connect-src 'self';
font-src 'self';
manifest-src 'self';
child-src 'self';
frame-src 'self'
base-uri 'self'
. This will allow resources to be loaded from'self'
(the current host). In addition, unsafe inline Javascript,eval()
and inline CSS is allowed. It is recommended to not allowunsafe-inline
orunsafe-eval
, because those can be used to trigger XSS attacks in your application (often in combination with another bug). Because older application often rely on inline scripting and styling, this CSP can be used as a stepping stone for older Wicket applications, before switching tostrict()
. Using a CSP with unsafe directives is still more secure than using no CSP at all.- Returns:
this
for chaining.
-
strict
Builds a strict, very secure CSP configuration with the following directives:default-src 'none';
script-src 'strict-dynamic' 'nonce-XYZ';
style-src 'nonce-XYZ';
img-src 'self';
connect-src 'self';
font-src 'self';
manifest-src 'self';
child-src 'self';
frame-src 'self'
base-uri 'self'
. This will allow most resources to be loaded from'self'
(the current host). Scripts and styles are only allowed when rendered with the correct nonce. Wicket will automatically add the nonces to thescript
andlink
(CSS) elements and to the headers.- Returns:
this
for chaining.
-
reportBack
Configures the CSP to report violations back at the application. WARNING: CSP reporting can generate a lot of traffic. A single page load can trigger multiple violations and flood your logs or even DDoS your server. In addition, it is an open endpoint for your application and can be used by an attacker to flood your application logs. Do not enable this feature on a production application unless you take the needed precautions to prevent this.- Returns:
this
for chaining- See Also:
-
reportBackAt
Configures the CSP to report violations at the specified relative URI. WARNING: CSP reporting can generate a lot of traffic. A single page load can trigger multiple violations and flood your logs or even DDoS your server. In addition, it is an open endpoint for your application and can be used by an attacker to flood your application logs. Do not enable this feature on a production application unless you take the needed precautions to prevent this.- Parameters:
mountPath
- The path to report the violations at.- Returns:
this
for chaining- See Also:
-
isNonceEnabled
True when theCSPDirectiveSrcValue.NONCE
is used in one of the directives.- Returns:
- When any of the directives contains a nonce.
-
isAddLegacyHeaders
True when legacy headers should be added.- Returns:
- True when legacy headers should be added.
-
setAddLegacyHeaders
Enable legacyX-Content-Security-Policy
headers for older browsers, such as IE.- Parameters:
addLegacyHeaders
- True when the legacy headers should be added.- Returns:
this
for chaining
-
remove
Removes the given directive from the configuration.- Parameters:
directive
- The directive to remove.- Returns:
this
for chaining
-
add
Adds the given values to the CSP directive on this configuraiton.- Parameters:
directive
- The directive to add the values to.values
- The values to add.- Returns:
this
for chaining
-
add
Adds a free-form value to a directive for the CSP header. This is primarily meant to used for URIs.- Parameters:
directive
- The directive to add the values to.values
- The values to add.- Returns:
this
for chaining
-
getDirectives
Returns an unmodifiable map of the directives set for this header.- Returns:
- The directives set for this header.
-
isSet
- Returns:
- true if this
CSPHeaderConfiguration
has any directives configured.
-
clear
Removes all CSP directives from the configuration.- Returns:
this
for chaining.
-
renderHeaderValue
Renders thisCSPHeaderConfiguration
into an HTTP header. The returned String will be in the form"key1 value1a value1b; key2 value2a; key3 value3a value3b value3c"
.- Parameters:
settings
- TheContentSecurityPolicySettings
that renders the header.cycle
- The currentRequestCycle
.- Returns:
- the rendered header.
-