Add content security header policy

changelog.txt

@@ -17,4 +17,5 @@ eDelivery SMP 4.2
     smp.sso.cas.token.validation.params: The CAS token validation key:value properties separated with '|'.Ex: 'acceptStrengths:BASIC,CLIENT_CERT|assuranceLevel:TOP'
     smp.sso.cas.token.validation.groups:  The '|' separated CAS groups user must belong to.
     smp.http.httpStrictTransportSecurity.maxAge: How long(in seconds) HSTS should last in the browser's cache(default one year)
+    smp.http.header.security.policy: Http header content security policy
     
\ No newline at end of file

smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/data/ui/enums/SMPPropertyEnum.java

@@ -13,6 +13,7 @@ public enum SMPPropertyEnum {
     OUTPUT_CONTEXT_PATH("contextPath.output", "true", "This property controls pattern of URLs produced by SMP in GET ServiceGroup responses.", true, false, true, SMPPropertyTypeEnum.BOOLEAN),
     HTTP_FORWARDED_HEADERS_ENABLED("smp.http.forwarded.headers.enabled", "false", "Use (value true) or remove (value false) forwarded headers! There are security considerations for forwarded headers since an application cannot know if the headers were added by a proxy, as intended, or by a malicious client.", false, false, false, SMPPropertyTypeEnum.BOOLEAN),
     HTTP_HSTS_MAX_AGE("smp.http.httpStrictTransportSecurity.maxAge", "31536000", "How long(in seconds) HSTS should last in the browser's cache(default one year)", false, false, true, SMPPropertyTypeEnum.INTEGER),
+    HTTP_HEADER_SEC_POLICY("smp.http.header.security.policy", "default-src 'self'; script-src 'self'; child-src 'none'; connect-src 'self'; img-src 'self'; style-src 'self' 'unsafe-inline'; frame-ancestors 'self'; form-action 'self';", "Content Security Policy (CSP)", false, false, true, SMPPropertyTypeEnum.INTEGER),
     // http proxy configuration
     HTTP_PROXY_HOST("smp.proxy.host", "", "The http proxy host", false, false, false, SMPPropertyTypeEnum.STRING),
     HTTP_NO_PROXY_HOSTS("smp.noproxy.hosts", "localhost|127.0.0.1", "list of nor proxy hosts. Ex.: localhost|127.0.0.1", false, false, false, SMPPropertyTypeEnum.STRING),

smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/services/ConfigurationService.java

@@ -74,6 +74,10 @@ public class ConfigurationService {
         return (Integer) configurationDAO.getCachedPropertyValue(HTTP_HSTS_MAX_AGE);
     }
 
+    public String getHttpHeaderContentSecurityPolicy() {
+        return configurationDAO.getCachedProperty(HTTP_HEADER_SEC_POLICY);
+    }
+
     public String getHttpProxyHost() {
         return configurationDAO.getCachedProperty(HTTP_PROXY_HOST);
     }

smp-webapp/src/main/java/eu/europa/ec/edelivery/smp/config/SpringSecurityConfig.java

@@ -22,6 +22,7 @@ import eu.europa.ec.edelivery.smp.data.ui.auth.SMPAuthority;
 import eu.europa.ec.edelivery.smp.error.SpringSecurityExceptionHandler;
 import eu.europa.ec.edelivery.smp.services.ConfigurationService;
 import eu.europa.ec.edelivery.smp.utils.SMPCookieWriter;
+import org.apache.commons.lang3.StringUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -210,6 +211,11 @@ public class SpringSecurityConfig extends WebSecurityConfigurerAdapter {
                     .maxAgeInSeconds(maxAge)
                     .requestMatcher(AnyRequestMatcher.INSTANCE).and().and();
         }
+
+        String contentSecurityPolicy = configurationService.getHttpHeaderContentSecurityPolicy();
+        if (StringUtils.isNotBlank(contentSecurityPolicy)) {
+            httpSecurity = httpSecurity.headers().contentSecurityPolicy(contentSecurityPolicy).and().and();
+        }
     }
 
     @Override