Here is a code snippet from my spring-security.xml
<http pattern="/*/yyy/**" security="none" />
<http pattern="/*/zzz/**" security="none"/>
<http create-session="stateless" use-expressions="true">
<csrf disabled="true" />
<intercept-url method="GET" pattern="/*/api/products" access="xxxx" />
<http-basic entry-point-ref="customBasicAuthenticationEntryPoint" />
</http>
Now, for the http
pattern with security="none" above, I want to enable Content Security Policy (CSP) for that. As long as I keep it security="none", I don't think I can apply CSP to it.
the header to enable CSP in spring security is like:
<headers>
<header name="Content-Security-Policy" value="default-src 'self'"/>
</headers>
Now, I want to apply this header only to the first two http patterns where I have security="none" right now and not to the rest of the URLS I have added in the next http block. I just could not find a way to do it. Is it possible? Can someone please suggest?
I dont need to define entry-point-ref to these first two patterns. But, removing security="none" kind of forces me to define one for it. Please note that all I want is to be able to enable CSP for those selected patterns and that is all. Please help!
