Skip to content
A configurable Java Servlet filter adding the "Content-Security-Policy" header to a ServletResponse
Java
Branch: master
Clone or download
Pull request Compare This branch is 8 commits ahead of ronaldploeger:master.
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
src
.editorconfig
.gitignore
.travis.yml
LICENSE
README.md
pom.xml

README.md

License

Content Security Policy Filter (Java)

Adds the 'Content-Security-Policy' or 'Content-Security-Policy-Report-Only' Header to the response.

Also see:

Normally you will only need a limited number or none of the init parameters. If no init parameter is defined the Header will look like this:

Content-Security-Policy = default-src 'none'

Here is an example full configuration of the ContentSecurityPolicyFilter.

    <filter>
       <filter-name>ContentSecurityPolicyFilter</filter-name>
       <filter-class>de.saville.csp.ContentSecurityPolicyFilter</filter-class>
       
       <init-param>
           <!-- If not specified the default is false -->
           <param-name>report-only</param-name>
           <param-value>false</param-value>
        </init-param>
        <!-- Optionally add a reporter-uri -->            
       <init-param>
           <param-name>report-uri</param-name>
           <param-value>/ContentSecurityPolicyReporter</param-value>
        </init-param>
       <init-param>
           <param-name>sandbox</param-name>
           <param-value>true</param-value>
           <!-- true enables the sandbox behaviour - the default is false - one can also specify exceptions, e.g.
           <param-value>allow-forms allow-same-origin</param-value>
           -->
        </init-param>
       <!-- Remember that special keywords have to be put in single quotes, e.g. 'none', 'self' -->
       <init-param>
           <!-- If not specified the default is 'none' -->
           <param-name>default-src</param-name>
           <param-value>'none'</param-value>
        </init-param>
       <init-param>
           <param-name>img-src</param-name>
            <param-value>http://*.example.com</param-value>
        </init-param>
       <init-param>
           <param-name>script-src</param-name>
           <param-value>'self' js.example.com</param-value>
        </init-param>
       <init-param>
           <param-name>style-src</param-name>
           <param-value>'self'</param-value>
        </init-param>  
       <init-param>
           <param-name>connect-src</param-name>
           <param-value>'self'</param-value>
        </init-param> 
       <init-param>
           <param-name>font-src</param-name>
           <param-value>'self'</param-value>
        </init-param>   
       <init-param>
           <param-name>object-src</param-name>
           <param-value>'self'</param-value>
        </init-param>  
       <init-param>
           <param-name>media-src</param-name>
           <param-value>'self'</param-value>
        </init-param> 
       <init-param>
           <param-name>frame-src</param-name>
           <param-value>'self'</param-value>
        </init-param> 
    </filter>
    
    <filter-mapping> 
       <filter-name>ContentSecurityPolicyFilter</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

Optionally configure a Servlet to log the CSP violations:

     <servlet>
         <servlet-name>ContentSecurityPolicyReporter</servlet-name>
         <servlet-class>de.saville.csp.ContentSecurityPolicyReporter</servlet-class>
     </servlet>

     <servlet-mapping>
         <servlet-name>ContentSecurityPolicyReporter</servlet-name>
         <url-pattern>/ContentSecurityPolicyReporter</url-pattern>
     </servlet-mapping>          

License

This project is a fork of the following repository where the original code is published under the Apache License: https://github.com/ronaldploeger/ContentSecurityPolicyFilter

This fork will build upon the work that was previously done and will do so under the terms of the MIT License.

You can’t perform that action at this time.