Uploaded image for project: 'Magnolia'
  1. Magnolia
  2. MAGNOLIA-8141

Facilitate CSP headers configuration for projects


    • Icon: New Feature New Feature
    • Resolution: Unresolved
    • Icon: Neutral Neutral
    • None
    • None
    • None

      Currently, projects are on their own setting Content-Security-Policy header (and adjacent -Report-Only), by manipulating the filter-chain, and adding a AddHeadersFilter, as shown in the docs.

      This is error-prone, global to all sites, and supports only static behaviors with pre-configured fixed values. And is way too far from project (light) development.

      We should do the same as we did for CORS (MAGNOLIA-7215 and MGNLSITE-101):

      • Add a domain-specific CspFilter implementation in core (impl-detail), capable of adding CSP (and CSPRO) headers based on filter self-config.
      • Extend it with a SiteAwareCspFilter in site-module, reading CspConfiguration from the Site definition (clone ticket when doing so).

      This will allow projects to set it in YAML site-defs (still done via site module-config decoration to this date).

      Out of scope:

      • for editors to fill-in the values (too technical for them anyway)
      • HSTS (may clone ticket at convenience)

      Original description (cloud-specific) from dlopez

      The default CSP header value coming from magnolia-now-configuration (cloud bundle) doesn't work out for projects out of the box. As a matter of fact, the tendency is to switch it off.

      The topic is recurrent for any project doing penetration tests.

        Acceptance criteria

              Unassigned Unassigned
              mgeljic Mikaël Geljić
              0 Vote for this issue
              6 Start watching this issue