Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Increase Security with CSP Settings #5026

Closed
klopfdreh opened this issue Jul 21, 2022 · 4 comments
Closed

Increase Security with CSP Settings #5026

klopfdreh opened this issue Jul 21, 2022 · 4 comments
Assignees
@corneil
Labels
area/security Belongs to security
Milestone
2.10.0-M2

Comments

@klopfdreh
Copy link
Contributor

klopfdreh commented Jul 21, 2022
edited
Loading

Problem description:
As a requirement of a secure application the access of scripts, style sheets and other resources should restrict to those which are required by Spring Cloud Data Flow.

Solution description:
An existing WebSecurityConfigurerAdapter can used / a new could be applied with the following settings:

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        super.configure(http);
        http.headers()
                .contentSecurityPolicy(
                        "default-src 'none'; " +
                                "script-src 'self'; " +
                                "connect-src 'self'; " +
                                "img-src 'self' data:; " +
                                "style-src 'self' 'unsafe-inline'; " +
                                "base-uri 'self'; " +
                                "form-action 'self'; " +
                                "font-src 'self' data:");
    }

Note: If this should be back ported to a version in which bootstrap is used for the login / logout https://maxcdn.bootstrapcdn.com/bootstrap/ https://getbootstrap.com/docs/ needs to be applied behind unsafe-inline, as the CDNs need to be trusted in this case.

Description of alternatives:
None

Additional context:
None
@github-actions github-actions bot added the status/need-triage Team needs to triage and take a first look label Jul 21, 2022
@markpollack markpollack added the area/security Belongs to security label Aug 3, 2022
@markpollack markpollack added this to the 2.10.0-M2 milestone Aug 3, 2022
@corneil
Copy link
Contributor

corneil commented Aug 17, 2022

@klopfdreh Please note version 2.9.5 recently released includes a change that removes the need for bootstrap from the logout page.

@klopfdreh
Copy link
Contributor Author

Hey @corneil - great, but then I would suggest to only add the contentSecurityPolicy mentioned in this ticket above.

@markpollack markpollack modified the milestones: 2.10.0-M2, 2.10.0-M3 Aug 17, 2022
@markpollack markpollack removed the status/need-triage Team needs to triage and take a first look label Aug 17, 2022
@corneil
Copy link
Contributor

corneil commented Aug 30, 2022

We had an extensive discussion with Spring Security team and their suggestion is to remain with the defaults.

@corneil corneil closed this as completed Aug 30, 2022
@klopfdreh
Copy link
Contributor Author

Ok - no problem - we can adjust this in our config easily 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@corneil corneil

Labels
area/security Belongs to security
Projects
None yet
Milestone
2.10.0-M2
Development

No branches or pull requests
3 participants
@markpollack @corneil @klopfdreh