generator-jhipster icon indicating copy to clipboard operation
generator-jhipster copied to clipboard

Published 20 hours ago verified publisher icon jhipster

Improve Default Content Security Policy (CSP) to make default JHipster applications more secure

Open OmarHawk opened this issue 2 years ago • 7 comments

Overview of the feature request

At the moment, the default CSP (at least we have one) looks like this: https://github.com/jhipster/generator-jhipster/blob/7dd8197465cf71abda38f260f376ac8bff9670c3/generators/server/templates/src/main/resources/config/application.yml.ejs#L373-L377

We do have unsafe-inline and unsafe-eval in script-src and style-src. This is not optimal from security perspective, because injected javascript code would theoretically be executed. By default, we should produce the application in a way, that it works without these unsafe rules and then also get rid of these defaults.

In some place, we do have (unnecessary) inline javascript code like href="javascript:void(0)"which can be quite easily be replaced, in others, we do have script tags in the initial html, which probably requires a nonce - or should be extracted into an actual script file. Then, we also have some dependencies, like springdoc / swagger ui, which do have open issues about this for quite some time.

Motivation for or Use Case

Make the default jhipster configuration be more secure.

Related issues or PR

#9549, https://github.com/swagger-api/swagger-ui/issues/7540, https://github.com/springdoc/springdoc-openapi/issues/1492

  • [x] Checking this box is mandatory (this is just to show you read everything)

OmarHawk avatar Feb 08 '23 17:02 OmarHawk

I believe unsafe-inline is required by Angular. I could be wrong.

Can you please test your suggested changes with an Angular, React, and a Vue app and see if they work?

mraible avatar Feb 08 '23 19:02 mraible

Angular did work apart from some console errors regarding the mentioned points. I'll test React/Vue in the next days.

OmarHawk avatar Feb 08 '23 20:02 OmarHawk

Nice. When we added the csp angular didn't work at all without unsafe inline.

atomfrede avatar Feb 08 '23 20:02 atomfrede

This issue is stale because it has been open for too long without any activity. Due to the moving nature of jhipster generated application, bugs can become invalid. If this issue still applies please comment otherwise it will be closed in 7 days

github-actions[bot] avatar Sep 18 '23 00:09 github-actions[bot]

Not stale

OmarHawk avatar Sep 18 '23 10:09 OmarHawk

This issue is stale because it has been open for too long without any activity. Due to the moving nature of jhipster generated application, bugs can become invalid. If this issue still applies please comment otherwise it will be closed in 7 days

github-actions[bot] avatar Mar 17 '24 00:03 github-actions[bot]

still not stale. Will sooner or later pick it up ;-)

OmarHawk avatar Mar 18 '24 14:03 OmarHawk