spring-cloud-dataflow Increase Security with CSP Settings

Problem description: As a requirement of a secure application the access of scripts, style sheets and other resources should restrict to those which are required by Spring Cloud Data Flow.

Solution description: An existing WebSecurityConfigurerAdapter can used / a new could be applied with the following settings:

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        super.configure(http);
        http.headers()
                .contentSecurityPolicy(
                        "default-src 'none'; " +
                                "script-src 'self'; " +
                                "connect-src 'self'; " +
                                "img-src 'self' data:; " +
                                "style-src 'self' 'unsafe-inline'; " +
                                "base-uri 'self'; " +
                                "form-action 'self'; " +
                                "font-src 'self' data:");
    }

Note: If this should be back ported to a version in which bootstrap is used for the login / logout https://maxcdn.bootstrapcdn.com/bootstrap/ https://getbootstrap.com/docs/ needs to be applied behind unsafe-inline, as the CDNs need to be trusted in this case.

Description of alternatives: None

Additional context: None

Jul 21 '22 17:07 klopfdreh

@klopfdreh Please note version 2.9.5 recently released includes a change that removes the need for bootstrap from the logout page.

Aug 17 '22 11:08 corneil

Hey @corneil - great, but then I would suggest to only add the contentSecurityPolicy mentioned in this ticket above.

Aug 17 '22 11:08 klopfdreh

We had an extensive discussion with Spring Security team and their suggestion is to remain with the defaults.

Aug 30 '22 10:08 corneil

Ok - no problem - we can adjust this in our config easily 👍

Aug 30 '22 15:08 klopfdreh