假设一个有关spring spring和spring mvc的工作问候世界的例子。
当我使用wireshark进行跟踪时,我在http请求中看到以下标志
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
Strict-Transport-Security: max-age=31536000 ; includeSubDomains
X-Frame-Options: DENY
Set-Cookie: JSESSIONID=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX; Path=/; Secure; HttpOnly
我想将此添加到我的标题中:
Content-Security-Policy: script-src 'self'
我知道X-Frame-Options几乎完成了同样的工作,但它仍然让我睡得更好。 现在我想我需要在我的弹簧安全配置的配置功能下进行,但我不知道具体如何,即我想 .headers()。something.something(self)
@Override
protected void configure(HttpSecurity http) throws Exception {
http
// .csrf().disable()
// .headers().disable()
.authorizeRequests()
.antMatchers( "/register",
"/static/**",
"/h2/**",
"/resources/**",
"/resources/static/css/**",
"/resources/static/img/**" ,
"/resources/static/js/**",
"/resources/static/pdf/**"
).permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.permitAll()
.and()
.logout()
.permitAll();
}
答案 0 :(得分:15)
只需使用addHeaderWriter方法,如下所示:
@EnableWebSecurity
@Configuration
public class WebSecurityConfig extends
WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
// ...
.headers()
.addHeaderWriter(new StaticHeadersWriter("X-Content-Security-Policy","script-src 'self'"))
// ...
}
}
请注意,只要您指定应包含的任何标头,那么只会包含这些标头。
要包含您可以执行的默认标头:
http
.headers()
.contentTypeOptions()
.xssProtection()
.cacheControl()
.httpStrictTransportSecurity()
.frameOptions()
.addHeaderWriter(new StaticHeadersWriter("X-Content-Security-Policy","script-src 'self'"))
// ...
答案 1 :(得分:9)
虽然使用StaticHeadersWriter
的方法有效,但在最新版本的Spring Security中,可以使用特殊方法:
headers()
.contentSecurityPolicy("script-src 'self'");
有关详细信息,请参阅文档:https://docs.spring.io/spring-security/site/docs/4.2.x/reference/html/headers.html#headers-csp-configure
答案 2 :(得分:1)
如Spring安全文档中所述: https://docs.spring.io/spring-security/site/docs/current/reference/html/headers.html
@EnableWebSecurity
public class WebSecurityConfig extends
WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
// ...
.headers()
.contentSecurityPolicy("script-src 'self' https://trustedscripts.example.com; object-src https://trustedplugins.example.com; report-uri /csp-report-endpoint/")
.reportOnly();
}
}