Package org.apache.wicket.csp

Class CSPHeaderConfiguration

    • Constructor Detail

      • CSPHeaderConfiguration

        public CSPHeaderConfiguration()

    • Method Detail

      • disabled

        public CSPHeaderConfiguration disabled()
        Removes all directives from the CSP, returning an empty configuration.
        Returns:
        this for chaining.

      • unsafeInline

        public CSPHeaderConfiguration unsafeInline()
        Builds a CSP configuration with the following directives: default-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self'; connect-src 'self'; font-src 'self'; manifest-src 'self'; child-src 'self'; frame-src 'self' base-uri 'self'. This will allow resources to be loaded from 'self' (the current host). In addition, unsafe inline Javascript, eval() and inline CSS is allowed. It is recommended to not allow unsafe-inline or unsafe-eval, because those can be used to trigger XSS attacks in your application (often in combination with another bug). Because older application often rely on inline scripting and styling, this CSP can be used as a stepping stone for older Wicket applications, before switching to strict(). Using a CSP with unsafe directives is still more secure than using no CSP at all.
        Returns:
        this for chaining.

      • strict

        public CSPHeaderConfiguration strict()
        Builds a strict, very secure CSP configuration with the following directives: default-src 'none'; script-src 'strict-dynamic' 'nonce-XYZ'; style-src 'nonce-XYZ'; img-src 'self'; connect-src 'self'; font-src 'self'; manifest-src 'self'; child-src 'self'; frame-src 'self' base-uri 'self'. This will allow most resources to be loaded from 'self' (the current host). Scripts and styles are only allowed when rendered with the correct nonce. Wicket will automatically add the nonces to the script and link (CSS) elements and to the headers.
        Returns:
        this for chaining.

      • reportBack

        public CSPHeaderConfiguration reportBack()
        Configures the CSP to report violations back at the application. WARNING: CSP reporting can generate a lot of traffic. A single page load can trigger multiple violations and flood your logs or even DDoS your server. In addition, it is an open endpoint for your application and can be used by an attacker to flood your application logs. Do not enable this feature on a production application unless you take the needed precautions to prevent this.
        Returns:
        this for chaining
        See Also:
        https://scotthelme.co.uk/just-how-much-traffic-can-you-generate-using-csp

      • reportBackAt

        public CSPHeaderConfiguration reportBackAt​(String mountPath)
        Configures the CSP to report violations at the specified relative URI. WARNING: CSP reporting can generate a lot of traffic. A single page load can trigger multiple violations and flood your logs or even DDoS your server. In addition, it is an open endpoint for your application and can be used by an attacker to flood your application logs. Do not enable this feature on a production application unless you take the needed precautions to prevent this.
        Parameters:
        mountPath - The path to report the violations at.
        Returns:
        this for chaining
        See Also:
        https://scotthelme.co.uk/just-how-much-traffic-can-you-generate-using-csp

      • isNonceEnabled

        public boolean isNonceEnabled()
        True when the CSPDirectiveSrcValue.NONCE is used in one of the directives.
        Returns:
        When any of the directives contains a nonce.

      • isAddLegacyHeaders

        public boolean isAddLegacyHeaders()
        True when legacy headers should be added.
        Returns:
        True when legacy headers should be added.

      • setAddLegacyHeaders

        public CSPHeaderConfiguration setAddLegacyHeaders​(boolean addLegacyHeaders)
        Enable legacy X-Content-Security-Policy headers for older browsers, such as IE.
        Parameters:
        addLegacyHeaders - True when the legacy headers should be added.
        Returns:
        this for chaining

      • remove

        public CSPHeaderConfiguration remove​(CSPDirective directive)
        Removes the given directive from the configuration.
        Parameters:
        directive - The directive to remove.
        Returns:
        this for chaining

      • add

        public CSPHeaderConfiguration add​(CSPDirective directive,
                                  CSPRenderable... values)
        Adds the given values to the CSP directive on this configuraiton.
        Parameters:
        directive - The directive to add the values to.
        values - The values to add.
        Returns:
        this for chaining

      • add

        public CSPHeaderConfiguration add​(CSPDirective directive,
                                  String... values)
        Adds a free-form value to a directive for the CSP header. This is primarily meant to used for URIs.
        Parameters:
        directive - The directive to add the values to.
        values - The values to add.
        Returns:
        this for chaining

      • getDirectives

        public Map<CSPDirective,​List<CSPRenderable>> getDirectives()
        Returns an unmodifiable map of the directives set for this header.
        Returns:
        The directives set for this header.

      • isSet

        public boolean isSet()
        Returns:
        true if this CSPHeaderConfiguration has any directives configured.

      • clear

        public CSPHeaderConfiguration clear()
        Removes all CSP directives from the configuration.
        Returns:
        this for chaining.