Content Security Policy for Connect App

Jira Development Jira Cloud
, , ,
1

Hi,
We are following the Security requirements for cloud applications and we are struggling to make the " An application must set Content Security Policy (CSP) header" requirement. Our application is using Atlassian Connect Spring Boot library. By default the library doesn’t take care of this header. We have an approach that feels wrong, because we need to keep track and have a look in every upcoming release, because things might change there, which will lead us to having trouble.
I would like to ask which was your approach to meet this requirement, and how did u particularly implemented it.

2 Likes
2

Hi Egli,

I hit the same issue, but I don’t know if I am using the same approach as you are, because I also need to keep track of the URL patterns impacted. I ended up going for WebFilter implementation (using urlPatterns to only set the CSP header where it makes sense) and adding @ServletComponentScan to the main class annotated with @SpringBootApplication. Here’s the code:

package com.example.filter;

import java.io.IOException;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.annotation.WebFilter;
import javax.servlet.http.HttpServletResponse;

@WebFilter(urlPatterns = {"/some-byline-page", "/some-page"})
public class AddonApllicationFilter implements Filter {

    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
        HttpServletResponse httpServletResponse = (HttpServletResponse) response;
        httpServletResponse.setHeader(
                "Content-Security-Policy",
                "style-src 'self' connect-cdn.atl-paas.net; script-src 'self' connect-cdn.atl-paas.net; form-action 'self'");
        chain.doFilter(request, response);
    }

    @Override
    public void init(FilterConfig filterConfig) throws ServletException {
        // Some init code here...
    }

    @Override
    public void destroy() {
        // Some destroy code here...
    }
}

Hope it helps.

1 Like
3

Thank you for your answer. We went with another approach, which is for reference, is adding an interceptor and then add the headers to the particular request. But thank you for your answer, because I see this helping in the future.