Skip to content

Commit

Permalink
Merge pull request #1359 from CMSgov/feature/QPPSE-708_sanitize-api-i…
Browse files Browse the repository at this point in the history
…nputs

[QPPSE-708] Security updates
  • Loading branch information
saquino0827 authored Aug 4, 2023
2 parents 73c56f9 + 3cbca44 commit 82da441
Show file tree
Hide file tree
Showing 2 changed files with 14 additions and 1 deletion.
6 changes: 6 additions & 0 deletions converter/pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -166,6 +166,12 @@
<version>2.12.2</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>gov.cms.qpp.conversion</groupId>
<artifactId>commons</artifactId>
<version>2022.2.0-RELEASE</version>
<scope>compile</scope>
</dependency>

</dependencies>
</project>
Original file line number Diff line number Diff line change
@@ -1,11 +1,13 @@
package gov.cms.qpp.conversion.api.config;

import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.web.SecurityFilterChain;

import gov.cms.qpp.conversion.api.security.JwtAuthorizationFilter;

Expand Down Expand Up @@ -42,6 +44,11 @@ protected void configure(HttpSecurity http) throws Exception {
.addFilter(new JwtAuthorizationFilter(authenticationManager(), Set.of(orgName, rtiOrgName)))
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and().cors()
.and().csrf().disable();
.and().csrf().disable()
.headers(headers -> headers
.contentSecurityPolicy(csp -> csp
.policyDirectives("script-src 'self'")
)
);
}
}

0 comments on commit 82da441

Please sign in to comment.