diff --git a/avni-server-api/src/main/java/org/avni/server/framework/security/ApiSecurity.java b/avni-server-api/src/main/java/org/avni/server/framework/security/ApiSecurity.java index 0de8e2cc7..1dc699c87 100644 --- a/avni-server-api/src/main/java/org/avni/server/framework/security/ApiSecurity.java +++ b/avni-server-api/src/main/java/org/avni/server/framework/security/ApiSecurity.java @@ -36,6 +36,9 @@ public class ApiSecurity extends WebSecurityConfigurerAdapter { @Value("${csp.allowed.hosts}") private String cspAllowedHosts; + @Value("${csp.enabled}") + private boolean cspEnabled; + @Autowired public ApiSecurity(AuthService authService) { this.authService = authService; @@ -50,13 +53,17 @@ protected void configure(HttpSecurity http) throws Exception { * https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy * https://developer.mozilla.org/en-US/docs/Glossary/Fetch_directive */ - String policyDirectives = "default-src 'self' ; connect-src 'self' " + cspAllowedHosts + ";"; - policyDirectives += "img-src 'self' " + cspAllowedHosts + " data: ;"; - policyDirectives += "style-src 'self' 'unsafe-inline'; object-src 'none';"; - policyDirectives += "script-src 'self' 'unsafe-inline' 'unsafe-eval'"; - policyDirectives += " 'sha256-5As4+3YpY62+l38PsxCEkjB1R4YtyktBtRScTJ3fyLU=' "; - policyDirectives += " 'sha256-MDtIDJhP1FMu16GoPm7X/I7sEECznvKCwlPRG8uDDDc=' ;"; - http.headers().xssProtection().and().contentSecurityPolicy(policyDirectives); + if (cspEnabled) { + String policyDirectives = "default-src 'self' ; connect-src 'self' " + cspAllowedHosts + ";"; + policyDirectives += "img-src 'self' " + cspAllowedHosts + " data: ;"; + policyDirectives += "style-src 'self' 'unsafe-inline'; object-src 'none';"; + policyDirectives += "script-src 'self' 'unsafe-inline' 'unsafe-eval'"; + policyDirectives += " 'sha256-5As4+3YpY62+l38PsxCEkjB1R4YtyktBtRScTJ3fyLU=' "; + policyDirectives += " 'sha256-MDtIDJhP1FMu16GoPm7X/I7sEECznvKCwlPRG8uDDDc=' ;"; + http.headers().xssProtection().and().contentSecurityPolicy(policyDirectives); + } else { + http.headers().xssProtection(); + } CsrfConfigurer csrf = http.headers().frameOptions().sameOrigin().and().csrf(); HttpSecurity httpSecurity; diff --git a/avni-server-api/src/main/resources/application.properties b/avni-server-api/src/main/resources/application.properties index ebcaebbfa..d2ce48747 100644 --- a/avni-server-api/src/main/resources/application.properties +++ b/avni-server-api/src/main/resources/application.properties @@ -86,6 +86,7 @@ minio.accessKey=${OPENCHS_MINIO_ACCESS_KEY:dummy} minio.secretAccessKey=${OPENCHS_MINIO_SECRET_ACCESS_KEY:dummy} static.path=${OPENCHS_STATIC_PATH:/opt/openchs/static/} +csp.enabled=${OPENCHS_CSP_ENABLED:false} csp.allowed.hosts=${OPENCHS_CSP_ALLOWED_HOSTS:*.amazonaws.com keycloak-staging.avniproject.org} analytics.path=${OPENCHS_ANALYTICS_PATH:/opt/openchs/analytics/} spring.jackson.serialization.write-dates-as-timestamps=false diff --git a/avni-server-api/src/test/resources/application.properties b/avni-server-api/src/test/resources/application.properties index 9dc65d970..29676c484 100644 --- a/avni-server-api/src/test/resources/application.properties +++ b/avni-server-api/src/test/resources/application.properties @@ -96,4 +96,5 @@ avni.blacklisted.urls-file= avni.csrf.enabled=${AVNI_CSRF_ENABLED:false} avni.web.validHosts=${AVNI_WEB_VALIDHOSTS:} avni.enhancedValidation.enabled=${AVNI_ENHANCED_VALIDATION:false} +csp.enabled=${OPENCHS_CSP_ENABLED:false} csp.allowed.hosts=dummy