Spaces:

learnifymedhub
/

auth

Sleeping

App Files Files Community

learnifymedhub commited on Feb 24

Commit

c9e7759

verified ·

1 Parent(s): 017f3d1

Update src/main/java/com/example/config/SecurityConfig.java

Browse files

Files changed (1) hide show

src/main/java/com/example/config/SecurityConfig.java +37 -1

src/main/java/com/example/config/SecurityConfig.java CHANGED Viewed

@@ -32,7 +32,43 @@ public class SecurityConfig {
                 .defaultSuccessUrl("/secure", true)
             )
             .logout(logout -> logout.logoutSuccessUrl("/"))
-            .oidcLogout(oidc -> oidc.backChannel(Customizer.withDefaults()));
         return http.build();
     }

                 .defaultSuccessUrl("/secure", true)
             )
             .logout(logout -> logout.logoutSuccessUrl("/"))
+            .oidcLogout(oidc -> oidc.backChannel(Customizer.withDefaults()))
+            .headers(headers -> headers
+                // 1. Content Security Policy (Hardened)
+                .contentSecurityPolicy(csp -> csp
+                    .policyDirectives("default-src 'self'; " +
+                        "script-src 'self' 'unsafe-inline' 'unsafe-eval'; " +
+                        "style-src 'self' 'unsafe-inline'; " +
+                        "img-src 'self' data:; " +
+                        "connect-src 'self' " +
+                            "https://8080-firebase-auth-java-1771681085208.cluster-c36dgv2kibakqwbbbsgmia3fny.cloudworkstations.dev " +
+                            "https://4200-firebase-auth-java-1771681085208.cluster-c36dgv2kibakqwbbbsgmia3fny.cloudworkstations.dev " +
+                            "https://learnifymedhub-kc.hf.space; " +
+                        "frame-ancestors 'self' https://*.cloudworkstations.dev https://*.google.com; " +
+                        "form-action 'self';")
+                )
+                // 2. HTTP Strict Transport Security (HSTS)
+                .httpStrictTransportSecurity(hsts -> hsts
+                    .includeSubDomains(true)
+                    .preload(true)
+                    .maxAgeInSeconds(31536000) // 1 year
+                )
+                // 3. X-Content-Type-Options: nosniff
+                .contentTypeOptions(Customizer.withDefaults())
+                // 4. X-Frame-Options: SAMEORIGIN
+                .frameOptions(frame -> frame.sameOrigin())
+                // 5. Referrer Policy
+                .referrerPolicy(referrer -> referrer
+                    .policy(org.springframework.security.web.header.writers.ReferrerPolicyHeaderWriter.ReferrerPolicy.STRICT_ORIGIN_WHEN_CROSS_ORIGIN)
+                )
+                // 6. Permissions Policy (FIXED: Using the new permissionsPolicyHeader method)
+                .permissionsPolicyHeader(permissions -> permissions
+                    .policy("geolocation=(), microphone=(), camera=(), payment=(), usb=()")
+                )
+            );
         return http.build();
     }