- java.lang.Object
-
- org.apache.wicket.csp.ContentSecurityPolicySettings
-
public class ContentSecurityPolicySettings extends Object
Build the CSP configuration like this:
SeemyApplication.getCspSettings().blocking().clear() .add(CSPDirective.DEFAULT_SRC, CSPDirectiveSrcValue.NONE) .add(CSPDirective.SCRIPT_SRC, CSPDirectiveSrcValue.SELF) .add(CSPDirective.IMG_SRC, CSPDirectiveSrcValue.SELF) .add(CSPDirective.FONT_SRC, CSPDirectiveSrcValue.SELF)); myApplication.getCspSettings().reporting().strict();CSPHeaderConfigurationfor more details on specifying the configuration.- Author:
- Sven Haster, Emond Papegaaij
- See Also:
- https://www.w3.org/TR/CSP2, https://developer.mozilla.org/en-US/docs/Web/Security/CSP
-
-
Field Summary
Fields Modifier and Type Field Description static MetaDataKey<String>NONCE_KEY
-
Constructor Summary
Constructors Constructor Description ContentSecurityPolicySettings(Application application)
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description CSPHeaderConfigurationblocking()protected StringcreateNonce()voidenforce(WebApplication application)Enforce CSP settings on an application.Map<CSPHeaderMode,CSPHeaderConfiguration>getConfiguration()Returns the CSP configuration perCSPHeaderMode.StringgetNonce(RequestCycle cycle)booleanisNonceEnabled()Returns true if any of the headers includes a directive with a nonce.protected booleanmustProtectRequest(org.apache.wicket.request.IRequestHandler handler)Should any request be protected by CSP.CSPHeaderConfigurationreporting()ContentSecurityPolicySettingssetProtectedFilter(Predicate<org.apache.wicket.request.IRequestHandler> protectedFilter)Sets the predicate that determines which requests must be protected by the CSP.
-
-
-
Field Detail
-
NONCE_KEY
public static final MetaDataKey<String> NONCE_KEY
-
-
Constructor Detail
-
ContentSecurityPolicySettings
public ContentSecurityPolicySettings(Application application)
-
-
Method Detail
-
blocking
public CSPHeaderConfiguration blocking()
-
reporting
public CSPHeaderConfiguration reporting()
-
setProtectedFilter
public ContentSecurityPolicySettings setProtectedFilter(Predicate<org.apache.wicket.request.IRequestHandler> protectedFilter)
Sets the predicate that determines which requests must be protected by the CSP. When the predicate evaluates to false, the request will not be protected.- Parameters:
protectedFilter- The new filter, must not be null.- Returns:
thisfor chaining.
-
mustProtectRequest
protected boolean mustProtectRequest(org.apache.wicket.request.IRequestHandler handler)
Should any request be protected by CSP.- Parameters:
handler-- Returns:
trueby default- See Also:
setProtectedFilter(Predicate)
-
isNonceEnabled
public final boolean isNonceEnabled()
Returns true if any of the headers includes a directive with a nonce.- Returns:
- If a nonce is used in the CSP.
-
getNonce
public String getNonce(RequestCycle cycle)
-
createNonce
protected String createNonce()
-
getConfiguration
public Map<CSPHeaderMode,CSPHeaderConfiguration> getConfiguration()
Returns the CSP configuration perCSPHeaderMode.- Returns:
- the CSP configuration per
CSPHeaderMode.
-
enforce
public void enforce(WebApplication application)
Enforce CSP settings on an application.- Parameters:
application- application
-
-