Improve Default Content Security Policy (CSP) to make default JHipster applications more secure

[OmarHawk]

Overview of the feature request

At the moment, the default CSP (at least we have one) looks like this:

generator-jhipster/generators/server/templates/src/main/resources/config/application.yml.ejs

Lines 373 to 377 in 7dd8197

	<%_ if (clientTheme !== 'none') { _%>
	content-security-policy: "default-src 'self'; frame-src 'self' data:; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://storage.googleapis.com; style-src 'self' https://fonts.googleapis.com 'unsafe-inline'; img-src 'self' data:; font-src 'self' https://fonts.gstatic.com data:"
	<%_ } else { _%>
	content-security-policy: "default-src 'self'; frame-src 'self' data:; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://storage.googleapis.com; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:"
	<%_ } _%>

We do have unsafe-inline and unsafe-eval in script-src and style-src. This is not optimal from security perspective, because injected javascript code would theoretically be executed. By default, we should produce the application in a way, that it works without these unsafe rules and then also get rid of these defaults.

In some place, we do have (unnecessary) inline javascript code like href="javascript:void(0)"which can be quite easily be replaced, in others, we do have script tags in the initial html, which probably requires a nonce - or should be extracted into an actual script file. Then, we also have some dependencies, like springdoc / swagger ui, which do have open issues about this for quite some time.

Motivation for or Use Case

Make the default jhipster configuration be more secure.

Related issues or PR

#9549, swagger-api/swagger-ui#7540, springdoc/springdoc-openapi#1492

• Checking this box is mandatory (this is just to show you read everything)

[mraible]

I believe unsafe-inline is required by Angular. I could be wrong.

Can you please test your suggested changes with an Angular, React, and a Vue app and see if they work?

[OmarHawk]

Angular did work apart from some console errors regarding the mentioned points. I'll test React/Vue in the next days.

[atomfrede]

Nice. When we added the csp angular didn't work at all without unsafe inline.

[github-actions]

This issue is stale because it has been open for too long without any activity.
Due to the moving nature of jhipster generated application, bugs can become invalid.
If this issue still applies please comment otherwise it will be closed in 7 days

[OmarHawk]

Not stale

[github-actions]

This issue is stale because it has been open for too long without any activity.
Due to the moving nature of jhipster generated application, bugs can become invalid.
If this issue still applies please comment otherwise it will be closed in 7 days

[OmarHawk]

still not stale. Will sooner or later pick it up ;-)

[github-actions]

This issue is stale because it has been open for too long without any activity.
Due to the moving nature of jhipster generated application, bugs can become invalid.
If this issue still applies please comment otherwise it will be closed in 7 days