avniproject/avni-webapp#1055 | Introduce CSP enabled flag

avniproject · Oct 4, 2023 · cb3552d · cb3552d
1 parent ee18818
commit cb3552d
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 7 deletions.
diff --git a/avni-server-api/src/main/java/org/avni/server/framework/security/ApiSecurity.java b/avni-server-api/src/main/java/org/avni/server/framework/security/ApiSecurity.java
@@ -36,6 +36,9 @@ public class ApiSecurity extends WebSecurityConfigurerAdapter {
     @Value("${csp.allowed.hosts}")
     private String cspAllowedHosts;
 
+    @Value("${csp.enabled}")
+    private boolean cspEnabled;
+
     @Autowired
     public ApiSecurity(AuthService authService) {
         this.authService = authService;
@@ -50,13 +53,17 @@ protected void configure(HttpSecurity http) throws Exception {
          * https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
          * https://developer.mozilla.org/en-US/docs/Glossary/Fetch_directive
          */
-        String policyDirectives = "default-src 'self' ; connect-src 'self' " + cspAllowedHosts + ";";
-        policyDirectives += "img-src 'self' " + cspAllowedHosts + " data: ;";
-        policyDirectives += "style-src 'self' 'unsafe-inline'; object-src 'none';";
-        policyDirectives += "script-src 'self' 'unsafe-inline' 'unsafe-eval'";
-        policyDirectives += " 'sha256-5As4+3YpY62+l38PsxCEkjB1R4YtyktBtRScTJ3fyLU=' ";
-        policyDirectives += " 'sha256-MDtIDJhP1FMu16GoPm7X/I7sEECznvKCwlPRG8uDDDc=' ;";
-        http.headers().xssProtection().and().contentSecurityPolicy(policyDirectives);
+        if (cspEnabled) {
+            String policyDirectives = "default-src 'self' ; connect-src 'self' " + cspAllowedHosts + ";";
+            policyDirectives += "img-src 'self' " + cspAllowedHosts + " data: ;";
+            policyDirectives += "style-src 'self' 'unsafe-inline'; object-src 'none';";
+            policyDirectives += "script-src 'self' 'unsafe-inline' 'unsafe-eval'";
+            policyDirectives += " 'sha256-5As4+3YpY62+l38PsxCEkjB1R4YtyktBtRScTJ3fyLU=' ";
+            policyDirectives += " 'sha256-MDtIDJhP1FMu16GoPm7X/I7sEECznvKCwlPRG8uDDDc=' ;";
+            http.headers().xssProtection().and().contentSecurityPolicy(policyDirectives);
+        } else {
+            http.headers().xssProtection();
+        }
 
         CsrfConfigurer<HttpSecurity> csrf = http.headers().frameOptions().sameOrigin().and().csrf();
         HttpSecurity httpSecurity;

diff --git a/avni-server-api/src/main/resources/application.properties b/avni-server-api/src/main/resources/application.properties
@@ -86,6 +86,7 @@ minio.accessKey=${OPENCHS_MINIO_ACCESS_KEY:dummy}
 minio.secretAccessKey=${OPENCHS_MINIO_SECRET_ACCESS_KEY:dummy}
 
 static.path=${OPENCHS_STATIC_PATH:/opt/openchs/static/}
+csp.enabled=${OPENCHS_CSP_ENABLED:false}
 csp.allowed.hosts=${OPENCHS_CSP_ALLOWED_HOSTS:*.amazonaws.com keycloak-staging.avniproject.org}
 analytics.path=${OPENCHS_ANALYTICS_PATH:/opt/openchs/analytics/}
 spring.jackson.serialization.write-dates-as-timestamps=false

diff --git a/avni-server-api/src/test/resources/application.properties b/avni-server-api/src/test/resources/application.properties
@@ -96,4 +96,5 @@ avni.blacklisted.urls-file=
 avni.csrf.enabled=${AVNI_CSRF_ENABLED:false}
 avni.web.validHosts=${AVNI_WEB_VALIDHOSTS:}
 avni.enhancedValidation.enabled=${AVNI_ENHANCED_VALIDATION:false}
+csp.enabled=${OPENCHS_CSP_ENABLED:false}
 csp.allowed.hosts=dummy