Package io.micronaut.views.csp

Class CspConfiguration

java.lang.Object
io.micronaut.views.csp.CspConfiguration
All Implemented Interfaces:
io.micronaut.core.util.Toggleable
@ConfigurationProperties("micronaut.views.csp") public class CspConfiguration extends Object implements io.micronaut.core.util.Toggleable
Defines CSP configuration properties.
Since:
1.1
Author:
Arul Dhesiaseelan

  • Field Details

  • Constructor Details

    • CspConfiguration

      public CspConfiguration()

  • Method Details

    • isEnabled

      public boolean isEnabled()
      Specified by:
      isEnabled in interface io.micronaut.core.util.Toggleable
      Returns:
      Whether csp headers will be sent

    • getPolicyDirectives

      public Optional<String> getPolicyDirectives()
      Returns:
      The policy directives

    • isReportOnly

      public boolean isReportOnly()
      Returns:
      Whether the report only header should be set

    • isNonceEnabled

      public boolean isNonceEnabled()
      Returns:
      Whether nonce generation is enabled for each request/response cycle

    • isForceSecureRandomEnabled

      public boolean isForceSecureRandomEnabled()
      Returns:
      Whether use of SecureRandom is forced for nonce generation.

    • getRandomEngine

      public Random getRandomEngine()
      Returns:
      Random data engine currently in use to generate nonce values.

    • setEnabled

      public void setEnabled(boolean enabled)
      Sets whether CSP is enabled. Default false.
      Parameters:
      enabled - True if CSP is enabled

    • setPolicyDirectives

      public void setPolicyDirectives(@Nullable @Nullable String policyDirectives)
      Sets the policy directives.
      Parameters:
      policyDirectives - CSP policy directives

    • setReportOnly

      public void setReportOnly(boolean reportOnly)
      If true, the Content-Security-Policy-Report-Only header will be sent instead of Content-Security-Policy. Default false.
      Parameters:
      reportOnly - set to true for reporting purpose only

    • setGenerateNonce

      public void setGenerateNonce(boolean generateNonce)
      If true, the CSP header will contain a generated nonce that is made available to view renderers. The nonce should change for each request/response cycle and can be used by views to authorize inlined script blocks.
      Parameters:
      generateNonce - set to true to enable generation of nonces

    • setForceSecureRandom

      public void setForceSecureRandom(boolean forceSecureRandom)
      Sets whether `SecureRandom` is forced for use in generated nonce values. Defaults to `false`. Enabling this requires careful consideration, because `SecureRandom` will block infinitely without enough entropy.
      Parameters:
      forceSecureRandom - set to true to force SecureRandom use for nonce values.

    • setRandomEngine

      public void setRandomEngine(Random randomEngine)
      Sets the `Random` data engine used to generate nonce values. Ignored if `forceSecureRandom` is set to `true`.
      Parameters:
      randomEngine - Random data engine to use.

    • getFilterPath

      public String getFilterPath()
      Returns:
      The path the CSP filter should apply to

    • setFilterPath

      public void setFilterPath(String filterPath)
      Sets the path the CSP filter should apply to. Default value "/**".
      Parameters:
      filterPath - The filter path

    • generateNonce

      public String generateNonce()
      Generate a nonce value for use in a Content-Security-Policy header, which is usable for one request/response cycle. A good guide for generating nonce values: https://csp.withgoogle.com/docs/faq.html#generating-nonces
      Returns:
      Base64-encoded random nonce value.