Configuring CSP using Spring Security configuration is a breeze. By default, CSP is not enabled. You can enable it in Spring Security configuration, as shown in the following code snippet:

http
     .headers()
         .contentSecurityPolicy("script-src 'self' https://trusted-domain.com; report-uri /csp-report-api/");

The report-only CSP in the Spring Security configuration is as follows:

http
     .headers()
         .contentSecurityPolicy("script-src 'self' https://trusted-domain.com; report-uri /csp-report-api/")
        .reportOnly();