Community Advisor

AEM as a Cloud : How to add nonce values to Content Security Policy Headers?

Forum|Forum|2 years ago
January 17, 2024
3 replies
3627 views

Hi Team

I am trying to add CSP headers to my pages. I know we can add it as Headers via dispatcher (which is more secure) and also using meta tags. I need to add some nonce values. So I am thinking to use meta tags. Has anyone implmented CSP with nonce values in AEM as Cloud ? Do you have any pointers on the best approach ?

Thanks

Veena

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.

Kamal_Kishor

Community Advisor

@veenavikraman: We had implemented adding CSP headers addition through servlet Filters.

I am not sure if this is the best way to add CSP header/rules.

But, this gave us the option to specify the content paths using 'sling.filter.pattern' (and other options that we get with Filter), if we wanted to apply the rules for requests under a specific path alone.

Rules were authored on a config page which was applicable per site. We used a component to author multiple CSP rules and multi values for the domain etc.
The reason we did this was to be able to specify different CSP rules per website and site authors had the control over updating the rules.

After converting all the rules to a string, 'Content-Security-Policy' header was added to SlingHttpServletResponse object.

@Override
public final void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException,
ServletException {
//We skipped all of this on author run-mode OR if a site does not have the config-page OR config component is not authored.

String cspRules = "";
//get all csp rules and append to cspRules i.e default-src 'self'; style-src 'self' 'nonce-N2M0MDhkN2EtMmRkYi00MTExLWFhM2YtNDhkNTc4NGJhMjA3';
//add csp header to the response.
response.addHeader("Content-Security-Policy", cspRules )
chain.doFilter(request, response);

}

Please refer this for filter example : https://github.com/Adobe-Consulting-Services/acs-aem-samples/blob/master/core/src/main/java/com/adobe/acs/samples/filters/impl/SampleSlingRequestFilter.java

Kamal_Kishor

Community Advisor

There is an accepted answer as well. Please see if that helps you : https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/aem-as-a-cloud-manager-how-to-add-content-security-policy-header/td-p/584471

VeenaVikraman

Author

Community Advisor

@kamal_kishor Will this affect cache ? I understand adding nonce value require each request to have a new nonce value. That means, we cannot cache the responses as each response should be new with a new random generated nonce value. How did you handle that ?