Нужен ли мне специальный фильтр для применения CSP к моему веб-приложению Spring или этой конфигурации безопасности дост ⇐ JAVA

[Гость]

Had a pen test recently on a web application i maintain and some of the feedback i received was -

"A restrictive setting should be set for Frame-Ancestors headers in the Content-Security-Policy header for all requested resources."

I had a quick google and found that i could add a filter which i have just done (code below) but looking at spring documentation - it looks like i can just add a simple conifg to my security xml file

Can i just stick with the xml config or does this not cover everything?

here is the line i have added to my xml

the filter
@Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { HttpServletResponse httpResponse = (HttpServletResponse) response; httpResponse.setHeader("Content-Security-Policy", "frame-ancestors 'self'"); chain.doFilter(request, response); }

Источник: https://stackoverflow.com/questions/781 ... s-security