Skip to content

Latest commit

 

History

History
69 lines (53 loc) · 3.34 KB

README.md

File metadata and controls

69 lines (53 loc) · 3.34 KB
Raw

Codacy Badge Codacy Badge CircleCI MIT Mutation tested with PIT

JCSPGenerator

JCSPGenerator is an open source Java library for dynamically generating a Content-Security-Policy header. Requires Java 8+.

Please be very careful if using this library in a production setting.

Setting an incorrect, or even partially incorrect CSP header can easily hamper your site's performance and security, potentially rendering it both unusable and vulnerable. Only use this library if you have the knowledge & means to thoroughly, independently test any value it produces.

Basic usage:

CSPHeader header = new CSPHeader(
        CSP.defaultSrc(CSP.SELF, "https://res.example.com"),
        CSP.frameSrc(CSP.NONE),
        CSP.imgSrc(CSP.SELF, "https://images.example.com", "https://cdn.example.com"),
        CSP.mediaSrc(CSP.NONE),
        CSP.objectSrc(CSP.NONE),
        CSP.scriptSrc(CSP.SELF),
        CSP.frameAncestors(CSP.NONE),
        CSP.blockAllMixedContent(),
);
System.out.println(header.getValue());

A slightly more advanced use case:

String nonce = CSPUtils.generateNonce();
CSPHeader header = new CSPHeader(
        CSP.defaultSrc(CSP.SELF),
        CSP.connectSrc(CSP.SELF, "https://legacy.example.com"),
        CSP.fontSrc(CSP.SELF, "https://fonts.example.com"),
        CSP.frameSrc(CSP.SELF, "https://frame.paypal.com", "https://frame2.paypal.com", "https://analytics.provider.info"),
        CSP.imgSrc(CSP.SELF, "https://images.example.com", "https://cdn.example.com"),
        CSP.mediaSrc(CSP.NONE),
        CSP.objectSrc(CSP.NONE),
        CSP.scriptSrc(CSP.SELF, CSP.nonce(nonce)),
        CSP.frameAncestors(CSP.NONE),
        CSP.blockAllMixedContent(),
        CSP.upgradeInsecureRequests()
);
System.out.println(header.getValue()); //Put this as the value of your Content-Security-Policy header
header.getLegacyXFrameOptionsValue().ifPresent(System.out::println); //Print out a meaningful, legacy X-Frame-Options equivalent if possible

Integrates with Spring easily:

@Override
protected void configure(HttpSecurity http) throws Exception {
  http.headers()
      .contentSecurityPolicy(header.getValue());
}

Maven

<dependency>
  <groupId>com.github.berry120.JCSPGenerator</groupId>
  <artifactId>JCSPGenerator</artifactId>
  <version>0.1</version>
</dependency>

Gradle

compile 'com.github.berry120.JCSPGenerator:JCSPGenerator:0.1'

Any feature requests, issues or suggested improvements then please file an issue and/or PR.