Configuring a Content Security Policy

Content security policy (also called CSP) is a layer of security that helps to detect and mitigate certain types of attacks on web application. It mainly helps for cross-site scripting, code injections and https only.

You can find additional information on this standard there:

The functioning of CSP is really simple. The server adds a header in the web document response that will tell the browser where it can load resources and how to behave with these resources.

The headers have to respect a given structure, you can find some specifications on this header there: CSP header specification

It is composed of a list of policy directives and has the following form:

Content-Security-Policy: <first-policy-directive>; <second-policy-directive>; <etc>

Each policy directive is composed of a directive name and some values.

The following figure illustrates a basic example of CSP header:

Content-Security-Policy: default-src "self" https: ; object-src "none"

The blue squares highlight two policy directives, the green squares highlight the directive names, and the yellow squares highlight the values.

For an application built on top of the Platform, a default configuration is provided for the CSP header. If you need to customize it, it can be achieved in the Gateway extension.

A typical case in which the CSP header needs to be customized is when you develop a graphical widget that consumes external resources like icons, fonts, etc.

The configuration is done in the following file: extensions/gateway-service-extension/config/application.yml

spring:
  cloud:
    gateway:
      filter:
        secure-headers:
          content-security-policy: "default-src wss://my-application.io 'self' ..."