@FilterWith(value=ContentSecurityPolicy.Filter.class) @Target(value={METHOD,TYPE}) @Retention(value=RUNTIME) @Inherited @Documented @Repeatable(value=ContentSecurityPolicy.Repeat.class) public @interface ContentSecurityPolicy
Adds Content Security Policy (CSP) header to HTTP response.
See the W3C Candidate Recommendation and the MDN CSP documentation.
Sets Content-Security-Policy, X-Content-Security-Policy and X-WebKit-CSP headers. Using their -Report-Only flavour when needed.
In the wild, CSP reporting is pretty useless as user's bookmarklets, extensions may create a lot of false positives. However this can prove really useful at development or QA stage. To support this, the ContentSecurityPolicy.ViolationLogger
controller comes as a simple violation logging facility. Add the following route to your Application to get all violations loggued, assuming your report-uri CSP directive is set to /csp-violations.
Logging level is WARN by default, this can be changed by setting the werval.filters.csp.report_log_level configuration property to error, warn, info, debug or trace value.POST /csp-violations io.werval.filters.ContentSecurityPolicy$ViolationLogger.logViolation
Modifier and Type | Optional Element and Description |
---|---|
String |
policy |
boolean |
reportOnly |
public abstract String policy