I read about configuring/implementing Content-Security-Policy header and I came accross 2 ways of doing it:
Please note that this question is not duplicate of this, Iam looking for a solution better than given in this link
I see the drawbacks in (1) is its driven through code, not through a configuration file , drawbacks in option (2) is if I have say 100 html files, I need to put this tag in every HTML? (correct me if I'm wrong) The solution I'm looking for is something I can configure in web.xml and becomes applicable for all the html files. Something the way we do in case of configuring X-Frame-Options in web.xml like given here, don't we have similar way of configuring Content-Security-Policy in web.xml ?
You can use the recommendation provided by OWASP
here. It is a web filter that you can implement in your backend.
The below filter has to be then defined in your web.xml
file. This gets called on every request in your application. In java you may do that by creating an appropriate class.
<filter>
<filter-name>ContentSecurityPolicy</filter-name>
<filter-class>YourPackagePath.ContentSecurityPolicyFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>ContentSecurityPolicy</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
The above will implement the below values for content-security-policy in your HTTP Header
default-src 'none'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self'; frame-src 'self'; connect-src 'self'; form-action 'self'; reflected-xss block