3 * Copyright (C) 2009-2024 SonarSource SA
4 * mailto:info AT sonarsource DOT com
6 * This program is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU Lesser General Public
8 * License as published by the Free Software Foundation; either
9 * version 3 of the License, or (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 * Lesser General Public License for more details.
16 * You should have received a copy of the GNU Lesser General Public License
17 * along with this program; if not, write to the Free Software Foundation,
18 * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
20 package org.sonar.server.authentication;
22 import java.math.BigInteger;
23 import java.security.SecureRandom;
24 import java.util.List;
25 import org.sonar.api.server.http.HttpResponse;
27 public class SamlValidationCspHeaders {
29 private SamlValidationCspHeaders() {
30 throw new IllegalStateException("Utility class, cannot be instantiated");
33 public static String addCspHeadersWithNonceToResponse(HttpResponse httpResponse) {
34 final String nonce = getNonce();
36 List<String> cspPolicies = List.of(
39 "connect-src 'self' http: https:",
40 "img-src * data: blob:",
42 "script-src 'nonce-" + nonce + "'",
43 "style-src 'self' 'unsafe-inline'",
45 String policies = String.join("; ", cspPolicies).trim();
47 List<String> cspHeaders = List.of("Content-Security-Policy", "X-Content-Security-Policy", "X-WebKit-CSP");
48 cspHeaders.forEach(header -> httpResponse.setHeader(header, policies));
52 private static String getNonce() {
53 // this code is the same as in org.sonar.server.authentication.JwtCsrfVerifier.generateState
54 return new BigInteger(130, new SecureRandom()).toString(32);
projects / sonarqube.git / blob