Currently, projects are on their own setting Content-Security-Policy header (and adjacent -Report-Only), by manipulating the filter-chain, and adding a AddHeadersFilter, as shown in the docs.
This is error-prone, global to all sites, and supports only static behaviors with pre-configured fixed values. And is way too far from project (light) development.
- Add a domain-specific CspFilter implementation in core (impl-detail), capable of adding CSP (and CSPRO) headers based on filter self-config.
- Extend it with a SiteAwareCspFilter in site-module, reading CspConfiguration from the Site definition (clone ticket when doing so).
This will allow projects to set it in YAML site-defs (still done via site module-config decoration to this date).
Out of scope:
- for editors to fill-in the values (too technical for them anyway)
- HSTS (may clone ticket at convenience)
Original description (cloud-specific) from dlopez
The default CSP header value coming from magnolia-now-configuration (cloud bundle) doesn't work out for projects out of the box. As a matter of fact, the tendency is to switch it off.
The topic is recurrent for any project doing penetration tests.