java.lang.Object
- org.springframework.security.web.header.writers.ContentSecurityPolicyHeaderWriter

All Implemented Interfaces:

HeaderWriter
```
public final class ContentSecurityPolicyHeaderWriter
extends java.lang.Object
implements HeaderWriter
```
Provides support for Content Security Policy (CSP) Level 2.

CSP provides a mechanism for web applications to mitigate content injection vulnerabilities, such as cross-site scripting (XSS). CSP is a declarative policy that allows web application authors to inform the client (user-agent) about the sources from which the application expects to load resources.

For example, a web application can declare that it only expects to load script from specific, trusted sources. This declaration allows the client to detect and block malicious scripts injected into the application by an attacker.

A declaration of a security policy contains a set of security policy directives (for example, script-src and object-src), each responsible for declaring the restrictions for a particular resource type. The list of directives defined can be found at Directives.

Each directive has a name and value. For detailed syntax on writing security policies, see Syntax and Algorithms.

This implementation of HeaderWriter writes one of the following headers:
- Content-Security-Policy
- Content-Security-Policy-Report-Only
By default, the Content-Security-Policy header is included in the response. However, calling setReportOnly(boolean) with true will include the Content-Security-Policy-Report-Only header in the response. NOTE: The supplied security policy directive(s) will be used for whichever header is enabled (included).

CSP is not intended as a first line of defense against content injection vulnerabilities. Instead, CSP is used to reduce the harm caused by content injection attacks. As a first line of defense against content injection, web application authors should validate their input and encode their output.
Since:

4.1

Constructor Summary

Constructors
Constructor	Description
`ContentSecurityPolicyHeaderWriter()`	Creates a new instance.
`ContentSecurityPolicyHeaderWriter(java.lang.String policyDirectives)`	Creates a new instance

Method Summary

All Methods Instance Methods Concrete Methods
Modifier and Type	Method	Description
`void`	`setPolicyDirectives(java.lang.String policyDirectives)`	Sets the security policy directive(s) to be used in the response header.
`void`	`setReportOnly(boolean reportOnly)`	If true, includes the Content-Security-Policy-Report-Only header in the response, otherwise, defaults to the Content-Security-Policy header.
`java.lang.String`	`toString()`
`void`	`writeHeaders(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)`	Create a `Header` instance.

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

- Constructor Detail
  - ContentSecurityPolicyHeaderWriter
```
public ContentSecurityPolicyHeaderWriter()
```
    Creates a new instance. Default value: default-src 'self'
  - ContentSecurityPolicyHeaderWriter
```
public ContentSecurityPolicyHeaderWriter(java.lang.String policyDirectives)
```
    Creates a new instance
    
    Parameters:
    
    policyDirectives - maps to setPolicyDirectives(String)
    
    Throws:
    
    java.lang.IllegalArgumentException - if policyDirectives is null or empty
- Method Detail
  - writeHeaders
```
public void writeHeaders(javax.servlet.http.HttpServletRequest request,
                         javax.servlet.http.HttpServletResponse response)
```
    Description copied from interface: HeaderWriter
    
    Create a Header instance.
    
    Specified by:
    
    writeHeaders in interface HeaderWriter
    
    Parameters:
    
    request - the request
    
    response - the response
    
    See Also:
    
    HeaderWriter.writeHeaders(javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse)
  - setPolicyDirectives
```
public void setPolicyDirectives(java.lang.String policyDirectives)
```
    Sets the security policy directive(s) to be used in the response header.
    
    Parameters:
    
    policyDirectives - the security policy directive(s)
    
    Throws:
    
    java.lang.IllegalArgumentException - if policyDirectives is null or empty
  - setReportOnly
```
public void setReportOnly(boolean reportOnly)
```
    If true, includes the Content-Security-Policy-Report-Only header in the response, otherwise, defaults to the Content-Security-Policy header.
    
    Parameters:
    
    reportOnly - set to true for reporting policy violations only
  - toString
```
public java.lang.String toString()
```
    Overrides:
    
    toString in class java.lang.Object

Class ContentSecurityPolicyHeaderWriter

Constructor Summary

Method Summary

Methods inherited from class java.lang.Object

Constructor Detail

ContentSecurityPolicyHeaderWriter

ContentSecurityPolicyHeaderWriter

Method Detail

writeHeaders

setPolicyDirectives

setReportOnly

toString