Package org.apache.wicket.csp

Class CSPHeaderConfiguration

java.lang.Object
org.apache.wicket.csp.CSPHeaderConfiguration
public class CSPHeaderConfiguration extends Object
CSPHeaderConfiguration contains the configuration for a Content-Security-Policy header. This configuration is constructed using the available CSPDirectives. An number of default profiles is provided. These profiles can be used as a basis for a specific CSP. Extra directives can be added or existing directives modified.
Author:
papegaaij
See Also:

  • Field Details

  • Constructor Details

  • Method Details

    • disabled

      public CSPHeaderConfiguration disabled()
      Removes all directives from the CSP, returning an empty configuration.
      Returns:
      this for chaining.

    • unsafeInline

      public CSPHeaderConfiguration unsafeInline()
      Builds a CSP configuration with the following directives: default-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self'; connect-src 'self'; font-src 'self'; manifest-src 'self'; child-src 'self'; frame-src 'self' base-uri 'self'. This will allow resources to be loaded from 'self' (the current host). In addition, unsafe inline Javascript, eval() and inline CSS is allowed. It is recommended to not allow unsafe-inline or unsafe-eval, because those can be used to trigger XSS attacks in your application (often in combination with another bug). Because older application often rely on inline scripting and styling, this CSP can be used as a stepping stone for older Wicket applications, before switching to strict(). Using a CSP with unsafe directives is still more secure than using no CSP at all.
      Returns:
      this for chaining.

    • strict

      public CSPHeaderConfiguration strict()
      Builds a strict, very secure CSP configuration with the following directives: default-src 'none'; script-src 'strict-dynamic' 'nonce-XYZ'; style-src 'nonce-XYZ'; img-src 'self'; connect-src 'self'; font-src 'self'; manifest-src 'self'; child-src 'self'; frame-src 'self' base-uri 'self'. This will allow most resources to be loaded from 'self' (the current host). Scripts and styles are only allowed when rendered with the correct nonce. Wicket will automatically add the nonces to the script and link (CSS) elements and to the headers.
      Returns:
      this for chaining.

    • reportBack

      public CSPHeaderConfiguration reportBack()
      Configures the CSP to report violations back at the application. WARNING: CSP reporting can generate a lot of traffic. A single page load can trigger multiple violations and flood your logs or even DDoS your server. In addition, it is an open endpoint for your application and can be used by an attacker to flood your application logs. Do not enable this feature on a production application unless you take the needed precautions to prevent this.
      Returns:
      this for chaining
      See Also:

    • reportBackAt

      public CSPHeaderConfiguration reportBackAt(String mountPath)
      Configures the CSP to report violations at the specified relative URI. WARNING: CSP reporting can generate a lot of traffic. A single page load can trigger multiple violations and flood your logs or even DDoS your server. In addition, it is an open endpoint for your application and can be used by an attacker to flood your application logs. Do not enable this feature on a production application unless you take the needed precautions to prevent this.
      Parameters:
      mountPath - The path to report the violations at.
      Returns:
      this for chaining
      See Also:

    • isNonceEnabled

      public boolean isNonceEnabled()
      True when the CSPDirectiveSrcValue.NONCE is used in one of the directives.
      Returns:
      When any of the directives contains a nonce.

    • isAddLegacyHeaders

      public boolean isAddLegacyHeaders()
      True when legacy headers should be added.
      Returns:
      True when legacy headers should be added.

    • setAddLegacyHeaders

      public CSPHeaderConfiguration setAddLegacyHeaders(boolean addLegacyHeaders)
      Enable legacy X-Content-Security-Policy headers for older browsers, such as IE.
      Parameters:
      addLegacyHeaders - True when the legacy headers should be added.
      Returns:
      this for chaining

    • remove

      public CSPHeaderConfiguration remove(CSPDirective directive)
      Removes the given directive from the configuration.
      Parameters:
      directive - The directive to remove.
      Returns:
      this for chaining

    • add

      public CSPHeaderConfiguration add(CSPDirective directive, CSPRenderable... values)
      Adds the given values to the CSP directive on this configuraiton.
      Parameters:
      directive - The directive to add the values to.
      values - The values to add.
      Returns:
      this for chaining

    • add

      public CSPHeaderConfiguration add(CSPDirective directive, String... values)
      Adds a free-form value to a directive for the CSP header. This is primarily meant to used for URIs.
      Parameters:
      directive - The directive to add the values to.
      values - The values to add.
      Returns:
      this for chaining

    • getDirectives

      public Map<CSPDirective,List<CSPRenderable>> getDirectives()
      Returns an unmodifiable map of the directives set for this header.
      Returns:
      The directives set for this header.

    • isSet

      public boolean isSet()
      Returns:
      true if this CSPHeaderConfiguration has any directives configured.

    • clear

      public CSPHeaderConfiguration clear()
      Removes all CSP directives from the configuration.
      Returns:
      this for chaining.

    • renderHeaderValue

      public String renderHeaderValue(ContentSecurityPolicySettings settings, RequestCycle cycle)
      Renders this CSPHeaderConfiguration into an HTTP header. The returned String will be in the form "key1 value1a value1b; key2 value2a; key3 value3a value3b value3c".
      Parameters:
      settings - The ContentSecurityPolicySettings that renders the header.
      cycle - The current RequestCycle.
      Returns:
      the rendered header.