From 2dd39541eda5602dc8f564215e453adabc5905a3 Mon Sep 17 00:00:00 2001
From: ds-ext-abugajewski
 <112549278+ds-ext-abugajewski@users.noreply.github.com>
Date: Thu, 10 Aug 2023 08:16:20 +0200
Subject: [PATCH] fix(irs-api): [TRI-1095] Lack of HTTP security headers - add
 Referrer-Policy and Permissions-Policy

---
 .../tractusx/irs/configuration/SecurityConfiguration.java   | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/irs-api/src/main/java/org/eclipse/tractusx/irs/configuration/SecurityConfiguration.java b/irs-api/src/main/java/org/eclipse/tractusx/irs/configuration/SecurityConfiguration.java
index 3d7050528d..99361bf475 100644
--- a/irs-api/src/main/java/org/eclipse/tractusx/irs/configuration/SecurityConfiguration.java
+++ b/irs-api/src/main/java/org/eclipse/tractusx/irs/configuration/SecurityConfiguration.java
@@ -39,6 +39,8 @@
 import org.springframework.security.config.annotation.web.configurers.HeadersConfigurer;
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.header.writers.ContentSecurityPolicyHeaderWriter;
+import org.springframework.security.web.header.writers.PermissionsPolicyHeaderWriter;
+import org.springframework.security.web.header.writers.ReferrerPolicyHeaderWriter;
 import org.springframework.security.web.header.writers.XXssProtectionHeaderWriter;
 import org.springframework.security.web.util.matcher.AnyRequestMatcher;
 import org.springframework.web.cors.CorsConfiguration;
@@ -69,6 +71,7 @@ public class SecurityConfiguration {
     };
     private static final long HSTS_MAX_AGE_DAYS = 365;
     private static final String ONLY_SELF_SCRIPT_SRC = "script-src 'self'";
+    private static final String PERMISSION_POLICY = "microphone=(), geolocation=(), camera=()";
 
     @SuppressWarnings("PMD.SignatureDeclareThrowsException")
     @Bean
@@ -92,6 +95,9 @@ public class SecurityConfiguration {
         httpSecurity.headers(headers -> headers.addHeaderWriter(new ContentSecurityPolicyHeaderWriter(ONLY_SELF_SCRIPT_SRC)));
 
         httpSecurity.headers(headers -> headers.frameOptions(HeadersConfigurer.FrameOptionsConfig::sameOrigin));
+        httpSecurity.headers(headers -> headers.addHeaderWriter(new ReferrerPolicyHeaderWriter(
+                ReferrerPolicyHeaderWriter.ReferrerPolicy.SAME_ORIGIN)));
+        httpSecurity.headers(headers -> headers.addHeaderWriter(new PermissionsPolicyHeaderWriter(PERMISSION_POLICY)));
 
         httpSecurity.sessionManagement(sessionManagement -> sessionManagement
                 .sessionCreationPolicy(STATELESS));