[#183682057][#183681883] Add security headers

DNAstack · Nov 7, 2022 · b45f837 · b45f837
1 parent 2e1e2fb
commit b45f837
Showing 1 changed file with 36 additions and 0 deletions.
diff --git a/src/main/java/com/dnastack/ga4gh/dataconnect/ApplicationConfig.java b/src/main/java/com/dnastack/ga4gh/dataconnect/ApplicationConfig.java
@@ -126,6 +126,18 @@ public DefaultJwtSecurityConfig(Converter<Jwt, ? extends AbstractAuthenticationT
         @Override
         protected void configure(HttpSecurity http) throws Exception {
             http.cors().and()
+                .headers()
+                .frameOptions().deny()
+                .xssProtection().and()
+                .contentSecurityPolicy(
+                    "default-src 'self'; " +
+                    "style-src 'self'; " +
+                    "font-src 'self'; " +
+                    "script-src 'self';" +
+                    "img-src 'self'; " +
+                    "connect-src 'self';"
+                ).and()
+                .and()
                 .authorizeRequests()
                 .antMatchers("/actuator/health", "/actuator/info", "/service-info").permitAll()
                 .antMatchers("/**")
@@ -160,6 +172,18 @@ protected static class WalletJwtSecurityConfig extends WebSecurityConfigurerAdap
         @Override
         protected void configure(HttpSecurity http) throws Exception {
             http.cors().and()
+                .headers()
+                .frameOptions().deny()
+                .xssProtection().and()
+                .contentSecurityPolicy(
+                    "default-src 'self'; " +
+                    "style-src 'self'; " +
+                    "font-src 'self'; " +
+                    "script-src 'self';" +
+                    "img-src 'self'; " +
+                    "connect-src 'self';"
+                ).and()
+                .and()
                 .authorizeRequests()
                 .antMatchers("/actuator/health", "/actuator/info", "/service-info").permitAll()
                 .antMatchers("/**")
@@ -239,6 +263,18 @@ protected static class BasicAuthSecurityConfig extends WebSecurityConfigurerAdap
         @Override
         protected void configure(HttpSecurity http) throws Exception {
             http.cors().and()
+                .headers()
+                .frameOptions().deny()
+                .xssProtection().and()
+                .contentSecurityPolicy(
+                    "default-src 'self'; " +
+                    "style-src 'self'; " +
+                    "font-src 'self'; " +
+                    "script-src 'self';" +
+                    "img-src 'self'; " +
+                    "connect-src 'self';"
+                ).and()
+                .and()
                 .authorizeRequests()
                 .antMatchers("/api/**")
                 .authenticated()