[GEOS-11346] Apply suggestions from code review

doc/en/user/source/production/config.rst

@@ -318,7 +318,7 @@ variable or web.xml init parameter.
 .. _production_config_csp:
 
 Content-Security-Policy
------------------------
+'''''''''''''''''''''''
 
 In order to mitigate cross-site scripting and clickjacking attacks GeoServer defaults to setting
 the Content-Security-Policy HTTP header based on rules loaded from a configuration file. See the

doc/en/user/source/security/csp.rst

@@ -3,35 +3,23 @@
 Content Security Policy
 =======================
 
-The :guilabel:`Content Security Policy` page controls the checks that are performed on GeoServer
-requests that GeoServer will use to set an appropriate Content-Security-Policy (CSP) HTTP
-response header to mitigate cross-site scripting and clickjacking attacks.
+The :guilabel:`Content Security Policy` page controls how GeoServer prepares the Content-Security-Policy (CSP) HTTP response headers, used to mitigate cross-site scripting and clickjacking attacks.
 
 .. note::
-    The settings on this page do not affect anything if the CSP header has been disabled using the
+    The settings on this page do not affect anything if the CSP headers have been disabled using the
     ``geoserver.csp.shouldSetPolicy`` property or if the ``geoserver.csp.policy`` property is used
     to set a fixed header value.
 
-.. note::
-    Starting with version 9, Wicket will set its own CSP header with a very strict policy that will
-    overwrite what is set by GeoServer although there is a workaround in place to merge directives
-    set by GeoServer that are either not supported or not set by default by Wicket (particularly
-    ``form-action`` and ``frame-ancestors``). Wicket's CSP is separate from GeoServer's
-    functionality and will otherwise not be affected by GeoServer's configuration.
-
 Default Configuration
 ---------------------
 
 The default CSP configuration is intended to support many GeoServer use cases and allow users to
 securely run GeoServer without having to modify the configuration. It may be updated in future
 releases to fix bugs, support new features or enhance security.
 
-The default header value for most GeoServer requests will be (without line breaks):
+The default header value for most GeoServer requests will be::
 
-::
-    base-uri 'self'; form-action 'self'; default-src 'none'; child-src 'self'; connect-src 'self';
-    font-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; script-src 'self';,
-    frame-ancestors 'self';
+    base-uri 'self'; form-action 'self'; default-src 'none'; child-src 'self'; connect-src 'self'; font-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; script-src 'self';, frame-ancestors 'self';
 
 and the ``'unsafe-inline'`` and ``'unsafe-eval'`` sources will be added to the ``script-src``
 directive for specific requests that require unsafe JavaScript. The default configuration may be
@@ -72,14 +60,9 @@ necessary for certain use cases where web browsers are able to access a GeoServe
 rather than through the proxy and the HTML response contains absolute URLs to the proxy base URL.
 This does not guarantee that other browser restrictions will not prevent the page from functioning.
 Enabling this with a proxy base URL set to ``https://geoserver.org`` would change the header value
-at the top of this page to:
+at the top of this page to::
 
-::
-    base-uri 'self'; form-action 'self' https://geoserver.org; default-src 'none';
-    child-src 'self' https://geoserver.org; connect-src 'self' https://geoserver.org;
-    font-src 'self https://geoserver.org'; img-src 'self' https://geoserver.org data:;
-    style-src 'self' https://geoserver.org 'unsafe-inline';
-    script-src 'self' https://geoserver.org;, frame-ancestors 'self';
+    base-uri 'self'; form-action 'self' https://geoserver.org; default-src 'none'; child-src 'self' https://geoserver.org; connect-src 'self' https://geoserver.org; font-src 'self https://geoserver.org'; img-src 'self' https://geoserver.org data:; style-src 'self' https://geoserver.org 'unsafe-inline'; script-src 'self' https://geoserver.org;, frame-ancestors 'self';
 
 Use the :guilabel:`Allowed sources for external web resources` text field to add sources to the
 ``font-src``, ``img-src``, ``style-src``, and ``script-src`` directives for static web files (if
@@ -88,25 +71,18 @@ property). This is intended to make it easier to allow loading these resources f
 other external host. Only trusted hosts should be added here to prevent cross-site scripting
 attacks. The ``geoserver.csp.externalResources`` system property will override this field if it has
 been set. Setting this to ``'self' https://geoserver.org`` would set the following header value for
-an HTML file in the static files directory:
+an HTML file in the static files directory::
 
-::
-    base-uri 'self'; form-action 'self'; default-src 'none'; child-src 'self'; connect-src 'self';
-    font-src 'self' https://geoserver.org; img-src 'self' https://geoserver.org data:;
-    style-src 'self' https://geoserver.org 'unsafe-inline';
-    script-src 'self' https://geoserver.org;, frame-ancestors 'self';
+    base-uri 'self'; form-action 'self'; default-src 'none'; child-src 'self'; connect-src 'self'; font-src 'self' https://geoserver.org; img-src 'self' https://geoserver.org data:; style-src 'self' https://geoserver.org 'unsafe-inline'; script-src 'self' https://geoserver.org;, frame-ancestors 'self';
 
 Use the :guilabel:`Allowed frame-ancestors directive sources` text field to control the sources of
 the ``frame-ancestors`` directive. This is intended to make it easier for administrators to allow
 specific external hosts to load GeoServer content in frames. Only trusted hosts should be added
 here to prevent clickjacking attacks. The ``geoserver.csp.frameAncestors`` system property will
 override this field if it has been set. Setting this to ``'self' https://geoserver.org`` would
-change the header value at the top of this page to:
+change the header value at the top of this page to::
 
-::
-    base-uri 'self'; form-action 'self'; default-src 'none'; child-src 'self'; connect-src 'self';
-    font-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; script-src 'self';,
-    frame-ancestors 'self' https://geoserver.org;
+    base-uri 'self'; form-action 'self'; default-src 'none'; child-src 'self'; connect-src 'self'; font-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; script-src 'self';, frame-ancestors 'self' https://geoserver.org;
 
 Configuring Policies
 --------------------
@@ -174,21 +150,13 @@ Request Filters
 
 The filter contains a string of predicates concatenated with the string ``AND`` and the rule's
 directives will be applied to a request only if all of the predicates match the request. There
-are several different predicates that can be used:
+are four different predicates that can be used:
 
-* CLASS(name): Returns true if the specified class name is available on the classpath. For security
-  reasons, the class name must be in the ``org.geoserver``, ``org.geotools``, or
-  ``org.geowebcache`` package or a subpackage. This is intended to restrict default rules to only
-  apply when a specific module is installed and may not be useful to administrators.
-  Example: ``CLASS(org.geoserver.web.GeoServerApplication)``
 * PROP(key,value_regex): Returns true if the value for the property key matches the regex. Keys are
   case-sensitive and must contain must contain the string ``GeoServer``, ``GeoTools``, or
   ``GeoWebCache`` anywhere in the key (case-insensitive). The regex will be tested against an empty
   string if the property is not set.
   Example: ``PROP(GEOSERVER_CONSOLE_DISABLED,(?i)^(?!true$).*$)``
-* METHOD(methods): Returns true if the HTTP request method is in the comma-separated list of
-  allowed methods.
-  Example: ``METHOD(GET,HEAD)``
 * PATH(regex): Returns true if the URL-decoded request path matches the regular expression. The
   regex will be tested against the path that is relative to GeoServer's context root and starting
   with a forward slash.
@@ -259,9 +227,8 @@ REST Resources API, it is possible to create a file that GeoServer cannot parse.
 GeoServer will fall back to using very strict header directives until the configuration file is
 fixed. The ``geoserver.csp.fallbackDirectives`` property can be set either via Java system
 property, command line argument (-D), environment variable or web.xml init parameter to change the
-fallback directives from the default value:
+fallback directives from the default value::
 
-::
     base-uri 'none'; form-action 'none'; default-src 'none'; frame-ancestors 'none';
 
 The keyword ``NONE`` can be used to specify that no header value will be assigned to rquests when

src/main/src/main/java/org/geoserver/filters/XFrameOptionsFilter.java → src/main/src/main/java/org/geoserver/filters/SecurityHeadersFilter.java

@@ -63,9 +63,9 @@
  * but this property allows the administrator to set a fixed header value, which can be useful in
  * cases where JavaScript is not needed at all.
  */
-public class XFrameOptionsFilter implements Filter {
+public class SecurityHeadersFilter implements Filter {
 
-    private static final Logger LOGGER = Logging.getLogger(XFrameOptionsFilter.class);
+    private static final Logger LOGGER = Logging.getLogger(SecurityHeadersFilter.class);
 
     private static final String DEFAULT_HSTS_POLICY = "max-age=31536000 ; includeSubDomains";
     private static final String DEFAULT_FRAME_POLICY = "SAMEORIGIN";