search

jhipster / generator-jhipster

JHipster is a development platform to quickly generate, develop, & deploy modern web applications & microservice architectures.
https://www.jhipster.tech
Apache License 2.0
21.31k stars 4.01k forks source link

Improve Default Content Security Policy (CSP) to make default JHipster applications more secure #21067

Open OmarHawk opened 1 year ago

OmarHawk commented 1 year ago
Overview of the feature request

At the moment, the default CSP (at least we have one) looks like this: https://github.com/jhipster/generator-jhipster/blob/7dd8197465cf71abda38f260f376ac8bff9670c3/generators/server/templates/src/main/resources/config/application.yml.ejs#L373-L377

We do have unsafe-inline and unsafe-eval in script-src and style-src. This is not optimal from security perspective, because injected javascript code would theoretically be executed. By default, we should produce the application in a way, that it works without these unsafe rules and then also get rid of these defaults.

In some place, we do have (unnecessary) inline javascript code like href="javascript:void(0)"which can be quite easily be replaced, in others, we do have script tags in the initial html, which probably requires a nonce - or should be extracted into an actual script file. Then, we also have some dependencies, like springdoc / swagger ui, which do have open issues about this for quite some time.

Motivation for or Use Case

Make the default jhipster configuration be more secure.

Related issues or PR

9549, https://github.com/swagger-api/swagger-ui/issues/7540, https://github.com/springdoc/springdoc-openapi/issues/1492

mraible commented 1 year ago

I believe unsafe-inline is required by Angular. I could be wrong.

Can you please test your suggested changes with an Angular, React, and a Vue app and see if they work?

OmarHawk commented 1 year ago

Angular did work apart from some console errors regarding the mentioned points. I'll test React/Vue in the next days.

atomfrede commented 1 year ago

Nice. When we added the csp angular didn't work at all without unsafe inline.

github-actions[bot] commented 9 months ago

This issue is stale because it has been open for too long without any activity. Due to the moving nature of jhipster generated application, bugs can become invalid. If this issue still applies please comment otherwise it will be closed in 7 days

OmarHawk commented 9 months ago

Not stale

github-actions[bot] commented 3 months ago

This issue is stale because it has been open for too long without any activity. Due to the moving nature of jhipster generated application, bugs can become invalid. If this issue still applies please comment otherwise it will be closed in 7 days

OmarHawk commented 3 months ago

still not stale. Will sooner or later pick it up ;-)