Security updates for XSS

CMSgov · Jul 27, 2023 · 3cbca44 · 3cbca44
1 parent 73c56f9
commit 3cbca44
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 1 deletion.
diff --git a/converter/pom.xml b/converter/pom.xml
@@ -166,6 +166,12 @@
 			<version>2.12.2</version>
 			<scope>test</scope>
 		</dependency>
+		<dependency>
+			<groupId>gov.cms.qpp.conversion</groupId>
+			<artifactId>commons</artifactId>
+			<version>2022.2.0-RELEASE</version>
+			<scope>compile</scope>
+		</dependency>
 
 	</dependencies>
 </project>
diff --git a/rest-api/src/main/java/gov/cms/qpp/conversion/api/config/SecurityConfig.java b/rest-api/src/main/java/gov/cms/qpp/conversion/api/config/SecurityConfig.java
@@ -1,11 +1,13 @@
 package gov.cms.qpp.conversion.api.config;
 
 import org.springframework.beans.factory.annotation.Value;
+import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.config.http.SessionCreationPolicy;
+import org.springframework.security.web.SecurityFilterChain;
 
 import gov.cms.qpp.conversion.api.security.JwtAuthorizationFilter;
 
@@ -42,6 +44,11 @@ protected void configure(HttpSecurity http) throws Exception {
 			.addFilter(new JwtAuthorizationFilter(authenticationManager(), Set.of(orgName, rtiOrgName)))
 			.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
 			.and().cors()
-			.and().csrf().disable();
+			.and().csrf().disable()
+			.headers(headers -> headers
+				.contentSecurityPolicy(csp -> csp
+					.policyDirectives("script-src 'self'")
+				)
+			);
 	}
 }