feat: csp headers

Author: Nolife999

arc-web/src/main/java/fr/insee/arc/web/WebSecurityConfiguration.java

@@ -11,6 +11,7 @@
 import org.springframework.security.oauth2.client.registration.InMemoryClientRegistrationRepository;
 import org.springframework.security.oauth2.core.ClientAuthenticationMethod;
 import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.security.web.header.writers.XXssProtectionHeaderWriter;
 
 import fr.insee.arc.core.util.StaticLoggerDispatcher;
 import fr.insee.arc.utils.ressourceUtils.PropertiesHandler;
@@ -42,7 +43,14 @@ public ClientRegistrationRepository clientRegistrationRepository(PropertiesHandl
 
 	@Bean
 	SecurityFilterChain clientSecurityFilterChain(HttpSecurity http, PropertiesHandler properties) throws Exception {
-
+		
+        http.headers(
+                headers -> headers
+                        .xssProtection(xXssConfig -> xXssConfig.headerValue(XXssProtectionHeaderWriter.HeaderValue.ENABLED))
+                        .contentSecurityPolicy(
+                                csp ->
+                                        csp.policyDirectives("img-src 'self' data:; style-src-elem 'self' data:; script-src-elem 'self' data:; style-src 'unsafe-inline'; default-src 'self'; script-src 'unsafe-inline'; form-action 'self'; object-src 'none';")));
+		
 		// oath2 keycloak
 		if (WebAttributesName.isKeycloakActive(properties.getKeycloakRealm())) {
 

arc-web/src/main/webapp/js/gererPilotageBAS.js

@@ -7,13 +7,8 @@ var configJS = "Render:FixedHeader;"
 		+ "Render:AlertBox;";
 
 function alimenterPhase(t){
-	console.log("savePhaseChoice :"+$("#savePhaseChoice").attr("value"));
-	console.log("$(t) :"+$(t).attr("value"));
 	$("#savePhaseChoice").attr("value",$(t).attr("value"));
 	$("#savePhaseChoice").attr("m","js");
-	console.log("savePhaseChoice :"+$("#savePhaseChoice").attr("value"));
-	console.log("savePhaseChoice :"+$("#savePhaseChoice").attr("m"));
-
 	return true;
 }
 

arc-ws/src/main/java/fr/insee/arc/ws/services/restServices/WsSecurityConfiguration.java

@@ -20,6 +20,7 @@
 import org.springframework.security.oauth2.jwt.JwtDecoders;
 import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationConverter;
 import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.security.web.header.writers.XXssProtectionHeaderWriter;
 import org.springframework.security.web.servlet.util.matcher.PathPatternRequestMatcher;
 
 import fr.insee.arc.core.util.StaticLoggerDispatcher;
@@ -50,6 +51,18 @@ public JwtAuthenticationConverter jwtAuthenticationConverterForKeycloak() {
 	@Bean
 	SecurityFilterChain securityFilterChain(HttpSecurity http, PropertiesHandler properties) throws Exception {
 
+        http.headers(
+                headers -> headers
+                        .xssProtection(xXssConfig -> xXssConfig.headerValue(XXssProtectionHeaderWriter.HeaderValue.ENABLED_MODE_BLOCK))
+                        .httpStrictTransportSecurity(hsts -> hsts
+                                .includeSubDomains(true)
+                                .preload(true)
+                                .maxAgeInSeconds(31536000)
+                        )
+                        .contentSecurityPolicy(
+                                csp ->
+                                        csp.policyDirectives("style-src 'none'; default-src 'none'; script-src 'none'; form-action 'none'; object-src 'none';")));
+		
 
 		if (WebAttributesName.isKeycloakActive(properties.getKeycloakRealm())) {
 			http.oauth2ResourceServer(resourceServer -> resourceServer.jwt(jwtResourceServer -> jwtResourceServer