configuring Content-Security-Policy in tomcat

Question

I read about configuring/implementing Content-Security-Policy header and I came accross 2 ways of doing it:

1. using custom filter that implements Filter as given in this link
2. using meta tag

Please note that this question is not duplicate of this, Iam looking for a solution better than given in this link

I see the drawbacks in (1) is its driven through code, not through a configuration file , drawbacks in option (2) is if I have say 100 html files, I need to put this tag in every HTML? (correct me if I'm wrong) The solution I'm looking for is something I can configure in web.xml and becomes applicable for all the html files. Something the way we do in case of configuring X-Frame-Options in web.xml like given here, don't we have similar way of configuring Content-Security-Policy in web.xml ?

Answer 1

Configure content-security-policy in web.xml

You can use the recommendation provided by OWASP here. It is a web filter that you can implement in your backend.

The below filter has to be then defined in your web.xml file. This gets called on every request in your application. In java you may do that by creating an appropriate class.

    <filter>
        <filter-name>ContentSecurityPolicy</filter-name>
        <filter-class>YourPackagePath.ContentSecurityPolicyFilter</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>ContentSecurityPolicy</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

The above will implement the below values for content-security-policy in your HTTP Header

default-src 'none'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self'; frame-src 'self'; connect-src 'self'; form-action 'self'; reflected-xss block

Answer 2

Have you tried using https://github.com/sourceclear/headlines (dead link, this is all I could find: https://github.com/stevespringett/headlines) ? It's goal is to make security-related headers a matter of configuration instead of code like you ask.

{
  "XContentTypeConfig": {
    "enabled": true
  },

  "XFrameOptionsConfig": {
    "enabled": true,
    "value":"DENY"
  },

  "XssProtectionConfig": {
    "enabled": true
  },

  "HstsConfig": {
    "enabled": true,
    "includeSubdomains":true,
    "maxAge":31536000
  },

  "CspConfig": {
    "csp": {
      "default-src":["'self'"]
    },
    "cspReportOnly":{}
  },

  ... snip
}