Shulou(Shulou.com)06/01 Report--

This article mainly introduces the example analysis of content security policy in Spring Security, which is very detailed and has certain reference value. Friends who are interested must read it!

Content-Security-Policy is important for network security. However, it is not mainstream yet, its syntax is difficult, it is quite prohibitive, and tools rarely provide flexible support for it.

Although Spring Security does have a built-in content security policy (CSP) configuration, it allows you to specify a policy string instead of building it dynamically. In some cases, you need more than that.

In particular, CSP discourages users from using inline javascript because it introduces vulnerabilities. If you really need it, you can use unsafe-inline, but this is a bad method because it negates the full meaning of CSP. The alternative shown on this page is to use hash or nonce.

If you use. And (). Headers (). ContentSecurityPolicy (policy). The policy string is static, so you cannot generate a random number for each request. It is useless to have static random numbers. First, you define a CSP nonce filter:

Public class CSPNonceFilter extends GenericFilterBean {private static final int NONCE_SIZE = 32; / / recommended is at least 128 bits/16 bytes private static final String CSP_NONCE_ATTRIBUTE = "cspNonce"; private SecureRandom secureRandom = new SecureRandom (); @ Override public void doFilter (ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {HttpServletRequest request = (HttpServletRequest) req; HttpServletResponse response = (HttpServletResponse) res; byte [] nonceArray = new byte [not _ SIZE]; secureRandom.nextBytes (nonceArray) String nonce = Base64.getEncoder (). EncodeToString (nonceArray); request.setAttribute (CSP_NONCE_ATTRIBUTE, nonce); chain.doFilter (request, new CSPNonceResponseWrapper (response, nonce));} / * Wrapper to fill the nonce value * / public static class CSPNonceResponseWrapper extends HttpServletResponseWrapper {private String nonce; public CSPNonceResponseWrapper (HttpServletResponse response, String nonce) {super (response); this.nonce = nonce } @ Override public void setHeader (String name, String value) {if (name.equals ("Content-Security-Policy") & & StringUtils.isNotBlank (value)) {super.setHeader (name, value.replace ("{nonce}", nonce));} else {super.setHeader (name, value) } @ Override public void addHeader (String name, String value) {if (name.equals ("Content-Security-Policy") & & StringUtils.isNotBlank (value)) {super.addHeader (name, value.replace ("{nonce}", nonce));} else {super.addHeader (name, value) }

Then use the following command to configure it using spring security: .addFilterBefore (new CSPNonceFilter (), HeaderWriterFilter.class).

The policy string `nonce- {nonce} `should contain strings that are replaced by random numbers in each request.

The filter is set before HeaderWriterFilter so that it can wrap the response and intercept all calls to set headers. Why can't it use response.setHeader (..) after setting the title in HeaderWriterFiilter? Overwrite title-because the response has been submitted and the override has no effect.

Then on a page where you need an inline script for some reason, you can use:

...

(I use the Pebble template syntax; but you can use any template to output the request attribute csp-nonce)

Once again, inline javascript is rarely a good idea, but sometimes it is necessary, at least temporarily.

For example, if you add CSP to a legacy application and cannot rewrite everything.

We should have CSP everywhere, but the building strategy should be helped by the framework we use, otherwise writing an appropriate policy that won't break your application and is secure at the same time is tedious.

The above is all the content of the article "sample Analysis of content Security policies in Spring Security". Thank you for reading! Hope to share the content to help you, more related knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.