Spring Boot 3 with CORS and CSP

 Spring Boot 3 with CORS and CSP

Honestly I thought it was very difficult implementing CORS and CSP. But I had done it before with Servlet API and realized you could do the same by using a jakarta.servlet.Filter. You can find the code here 

https://github.com/AIMMOTH/spring-boot-3/tree/auth0-cors-csp-security

Request

 After reading Baeldung's blog it was easy to implement the 2 different filters. For the request I use a component with a high order and checks the request origins:

@Component
@Order(1)
@Log
public class RequestFilter implements Filter {

    @Value("${ce.security.cors}")
    private String cors;

    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
        if (response instanceof HttpServletResponse) {
            log.info("HttpServletResponse.");
            var httpResponse = (HttpServletResponse) response;
            httpResponse.addHeader("Access-Control-Allow-Origin", "*");
            httpResponse.addHeader("Access-Control-Allow-Methods", "POST, PUT, GET, OPTIONS, DELETE");
            httpResponse.addHeader("Access-Control-Allow-Headers", "Content-Type, Origin, Authorization");
        }
        if (request instanceof HttpServletRequest) {
            var httpRequest = (HttpServletRequest) request;
            log.info("Fields:" + new HttpRequestFields(httpRequest));

            var referer = httpRequest.getHeader("referer");
            var origin = httpRequest.getHeader("origin");
            var host = httpRequest.getHeader("host");

            if (checkHeader(referer) || checkHeader(origin) || checkHeader(host)) {
                chain.doFilter(request, response);
            } else {
                log.info("No soup for YOU:" + referer);
            }
        } else {
            log.info("Other type:" + request.getClass());
        }
    }

    private boolean checkHeader(String value) {
        return value != null && cors.contains(value);
    }
}

Response

For the response a similar filter is used but with an higher order. This will respond with the CSP:

@Component
@Order()
@Log
public class ResponseFilter implements Filter {

    @Value("${ce.security.cors}")
    private String cors;

    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
        if (response instanceof HttpServletResponse) {
            log.info("HttpServletResponse.");
            var httpResponse = (HttpServletResponse) response;

            var cspKey = "Content-Security-Policy";
            var domains = cors + " https://cdn.auth0.com https://aimmoth.eu.auth0.com";

            var cspValue = String.format("default-src 'self' %s;", domains);

            log.info("Setting " + cspKey + " to " + cspValue);
            httpResponse.addHeader(cspKey, cspValue);
        } else {
            log.info("Other type:" + response.getClass());
        }
        chain.doFilter(request, response);
    }
}