Fork me on GitHub
Edit on GitHub << back to Interceptors

Content Security Policy Interceptor

Description

Interceptor that implements Content Security Policy on incoming requests.

Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft, to site defacement, to malware distribution.

CSP can work in two modes, either enforce or report. In the report mode the Content-Security-Policy-Report-Only header is sent and Content-Security-Policy header is used when using the enforce mode.

CSP is now supported by all major browsers. More information about CSP.

The interceptor adds a nonce value automatically to to <s:script> and <s:link> tags. This provides a painless way to implement CSP in a highly secure fashion.

Parameters

Report action

To receive reports about violations against CSP an abstract CspReportAction action has been created, which you can extend to process the reports. When extending the action you must implement processReport(String) to process the report. Read JavaDoc of the action for more details.

Note: the action must always return an HTTP status 204.

Action aware

Since Struts 6.2.0 it is possible to configure the CSP interceptor by providing the an instance of CspSettings interface. Please use CspSettingsAware interface and implement the getCspSettings() method to steer the policy per action.

public class MyAction implements CspSettingsAware {
    
    public String execute() {
        return "success";
    }
    
    public CspSetting getCspSettings() {
      ...
    }
}

Examples

<action  name="someAction" class="com.examples.SomeAction">
    <interceptor-ref name="defaultStack">
        <param name="csp.enforcingMode">true</param>
        <param name="csp.reportUri">/csp-report.action</param>
    </interceptor-ref>
    <result name="success">good_result.ftl</result>
</action>