Configuring CSP using Spring Security configuration is a breeze. By default, CSP is not enabled. You can enable it in Spring Security configuration, as shown in the following code snippet:
http
.headers()
.contentSecurityPolicy("script-src 'self' https://trusted-domain.com; report-uri /csp-report-api/");
The report-only CSP in the Spring Security configuration is as follows:
http
.headers()
.contentSecurityPolicy("script-src 'self' https://trusted-domain.com; report-uri /csp-report-api/")
.reportOnly();