From ddd3d02a22eaaf6cd0c29544d7fd9a23f24caea2 Mon Sep 17 00:00:00 2001 From: Frederik Hahne Date: Fri, 31 May 2019 22:58:12 +0200 Subject: [PATCH] improve security headers by setting conten-security and feature policy and deny embedding in an iFrame closes #9549 --- .../java/package/config/SecurityConfiguration.java.ejs | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/generators/server/templates/src/main/java/package/config/SecurityConfiguration.java.ejs b/generators/server/templates/src/main/java/package/config/SecurityConfiguration.java.ejs index 48ca959db3c1..ed677d293824 100644 --- a/generators/server/templates/src/main/java/package/config/SecurityConfiguration.java.ejs +++ b/generators/server/templates/src/main/java/package/config/SecurityConfiguration.java.ejs @@ -88,6 +88,7 @@ import org.springframework.security.web.csrf.CsrfFilter; <%_ if (authenticationType === 'jwt' && applicationType !== 'microservice') { _%> import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter; <%_ } _%> +import org.springframework.security.web.header.writers.ReferrerPolicyHeaderWriter; <%_ if (applicationType !== 'microservice') { _%> import org.springframework.web.filter.CorsFilter; <%_ } _%> @@ -223,8 +224,14 @@ public class SecurityConfiguration extends WebSecurityConfigurerAdapter { <%_ } _%> .and() .headers() + .contentSecurityPolicy("default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'") + .and() + .referrerPolicy(ReferrerPolicyHeaderWriter.ReferrerPolicy.STRICT_ORIGIN_WHEN_CROSS_ORIGIN) + .and() + .featurePolicy("geolocation 'none'; midi 'none'; sync-xhr 'none'; microphone 'none'; camera 'none'; magnetometer 'none'; gyroscope 'none'; speaker 'none'; fullscreen 'self'; payment 'none'") + .and() .frameOptions() - .disable() + .deny() .and() <%_ if (authenticationType === 'jwt' || (authenticationType === 'oauth2' && applicationType === 'microservice')) { _%> .sessionManagement()