Currently, projects are on their own setting Content-Security-Policy header (and adjacent -Report-Only), by manipulating the filter-chain, and adding a AddHeadersFilter, as shown in the docs.

This is error-prone, global to all sites, and supports only static behaviors with pre-configured fixed values. And is way too far from project (light) development.

We should do the same as we did for CORS (MAGNOLIA-7215 and MGNLSITE-101):

• Add a domain-specific CspFilter implementation in core (impl-detail), capable of adding CSP (and CSPRO) headers based on filter self-config.
• Extend it with a SiteAwareCspFilter in site-module, reading CspConfiguration from the Site definition (clone ticket when doing so).

This will allow projects to set it in YAML site-defs (still done via site module-config decoration to this date).

Out of scope:

• for editors to fill-in the values (too technical for them anyway)
• HSTS (may clone ticket at convenience)

Original description (cloud-specific) from dlopez

The default CSP header value coming from magnolia-now-configuration (cloud bundle) doesn't work out for projects out of the box. As a matter of fact, the tendency is to switch it off.

The topic is recurrent for any project doing penetration tests.