Backup - CSP nginx header list (Nov 2020)

csp_headers.txt

root@bastion-1:~/java# cat awacs-nginx/awacs-nginx.conf | grep add_header
    add_header Content-Security-Policy "base-uri 'self'; default-src 'self'; script-src 'self' https://qa.awacscloud.tech; object-src 'self' https://qa.awacscloud.tech; report-uri /authserver/actuator/csp/report" always;
    add_header Strict-Transport-Security "max-age=16070400; includeSubDomains" always;
    add_header X-Frame-Options "DENY" always;
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Content-Type-Options "nosniff" always;
    add_header Referrer-Policy "no-referrer" always;
    add_header Feature-Policy "none" always;
    add_header Server zombie always;
    add_header Permissions-Policy "accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()" always;
   add_header Access-Control-Expose-Headers "ETag, Link, Location, Retry-After, X-Awacs-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Used, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-Awacs-Media-Type, Deprecation, Sunset";
    add_header Cache-Control "no-cache" always;
    add_header Vary "Accept-Encoding, Accept, X-Requested-With" always;
root@bastion-1:~/java#

csp_report

package com.aiocdwacs.awacscloudauthserver.actuator;

import java.util.Map;

import com.fasterxml.jackson.annotation.JsonAnyGetter;
import com.fasterxml.jackson.annotation.JsonInclude;
import com.google.gson.GsonBuilder;

@JsonInclude(JsonInclude.Include.NON_EMPTY)
public class CspReport {

	Map<String, String> cspReportMap;

	@JsonAnyGetter
	public Map<String, String> getCspReportMap() {
		return cspReportMap;
	}

	public void setCspReportMap(Map<String, String> cspReportMap) {
		this.cspReportMap = cspReportMap;
	}
	
	public String toString(){
		return new GsonBuilder().setPrettyPrinting().create().toJson(this);
	}
}

csp_report2

package com.aiocdwacs.awacscloudauthserver.actuator;

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.boot.actuate.endpoint.web.annotation.RestControllerEndpoint;
import org.springframework.http.ResponseEntity;
import org.springframework.retry.annotation.Backoff;
import org.springframework.retry.annotation.Retryable;
import org.springframework.stereotype.Component;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestBody;
import org.springframework.web.bind.annotation.ResponseBody;

//https://csp.withgoogle.com/docs/index.html

//curl --location --request GET 'http://localhost:8100/actuator/csp/report' \
//--header 'Content-Type: application/json' \
//--data-raw '{
//   "csp-report":{
//      "document-uri":"https://example.com/foo/bar",
//      "referrer":"https://www.google.com/",
//      "violated-directive":"default-src self",
//      "original-policy":"default-src self; report-uri /csp-hotline.php",
//      "blocked-uri":"http://evilhackerscripts.com"
//   }
//}'

@Component
@RestControllerEndpoint(id="csp")
public class RestCspReportCustomEndpoint {

	Logger logger = LoggerFactory.getLogger(RestCspReportCustomEndpoint.class);
	
	@Retryable(maxAttempts=3, value=RuntimeException.class, backoff = @Backoff( delay = 300000, multiplier = 2) )
	@GetMapping("/report")
    public @ResponseBody ResponseEntity<String> reportEndpoint(@RequestBody CspReport incident){
		
		logger.warn("ALERT ALERT ALERT");
		logger.warn("CSP Incident detected - "+ incident);

		// send notification ??
		return ResponseEntity.ok("incident acknowledged!");
    }
}

Gives A+ grade

https://securityheaders.com/?q=https://qa.awacscloud.tech/

https://securityheaders.com/?q=https://app.awacscloud.tech/