configuring Content-Security-Policy in tomcat

vsp picture vsp · Aug 31, 2016 · Viewed 25.2k times · Source

I read about configuring/implementing Content-Security-Policy header and I came accross 2 ways of doing it:

  1. using custom filter that implements Filter as given in this link
  2. using meta tag

Please note that this question is not duplicate of this, Iam looking for a solution better than given in this link

I see the drawbacks in (1) is its driven through code, not through a configuration file , drawbacks in option (2) is if I have say 100 html files, I need to put this tag in every HTML? (correct me if I'm wrong) The solution I'm looking for is something I can configure in web.xml and becomes applicable for all the html files. Something the way we do in case of configuring X-Frame-Options in web.xml like given here, don't we have similar way of configuring Content-Security-Policy in web.xml ?

Answer

RICHARD ABRAHAM picture RICHARD ABRAHAM · May 31, 2019

Configure content-security-policy in web.xml

You can use the recommendation provided by OWASP here. It is a web filter that you can implement in your backend.

The below filter has to be then defined in your web.xml file. This gets called on every request in your application. In java you may do that by creating an appropriate class.

    <filter>
        <filter-name>ContentSecurityPolicy</filter-name>
        <filter-class>YourPackagePath.ContentSecurityPolicyFilter</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>ContentSecurityPolicy</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

The above will implement the below values for content-security-policy in your HTTP Header

default-src 'none'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self'; frame-src 'self'; connect-src 'self'; form-action 'self'; reflected-xss block