Hi there!
When adding CSP config to my Spring Boot application the web app does not work properly due to the inline scripts you have. Even after whitelisting the necessary scripts, it does not work.
It looks like the following
@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.authorizeRequests()
.antMatchers(HttpMethod.OPTIONS).denyAll()
.antMatchers("/**").permitAll()
.and()
.httpBasic()
.and()
.headers()
.contentSecurityPolicy("default-src 'self'; script-src 'self' " +
"'sha256-4CVPQsuVT5h/sEHGkMEGsCEtmdXq4a35b082Bn2QkMw=' " +
"'sha256-X/RQb8xC18J/qukmIb/f38jxJtZ8ztQMfxVmCALhq+o=' " +
"'sha256-qdIqrhFcA7RjmgA0GVVQC0neAKWAPlpJsrKk1YOApyU=' " +
"'sha256-8HcmGr5J500+3OujYxFdiXPy7hoD++bQCYDn7TQSlyM=' " +
"'sha256-SQJwrtySD1NMnAzBtEaqWANNWeAsrWxqczTiGTEPIyA=' " +
"'sha256-F4UrTkurcfRnBC0FHZLf+zH9UqrvNDoyAEh1xTOD+oU=' " +
"'sha256-0cU3QQPHJM4AjznCYz17h5ctA9AX4naF48TbtvKe+Ic=' " +
"'sha256-wYaNq722WTyUkl8kMIzLsFvM9bS7wCq6p20Nn6SBSj0=' " +
"'sha256-+hRvDw1V0WGky9GknYbeQhVpw73flTA1IlSl/TGIE4g='; connect-src 'self'; img-src 'self'; style-src 'self' 'unsafe-inline'; frame-ancestors 'self';")
.and()
.httpStrictTransportSecurity().includeSubDomains(true).maxAgeInSeconds(31536000);
}
}
Do you know why?