From ca6cd9854f8c8cf1e0e14fed3e7c0073da3270d6 Mon Sep 17 00:00:00 2001
From: Jarkko Pesonen <435495+jrkkp@users.noreply.github.com>
Date: Thu, 30 Jan 2025 14:29:53 +0200
Subject: [PATCH] VKT(Backend): Security audit fixes. Added cache no-store and
 CSP policy

---
 .../java/fi/oph/vkt/api/clerk/ClerkExamEventController.java  | 5 +++++
 .../java/fi/oph/vkt/config/security/WebSecurityConfig.java   | 5 +++++
 .../vkt/src/main/java/fi/oph/vkt/view/ExamEventXlsxView.java | 1 +
 3 files changed, 11 insertions(+)

diff --git a/backend/vkt/src/main/java/fi/oph/vkt/api/clerk/ClerkExamEventController.java b/backend/vkt/src/main/java/fi/oph/vkt/api/clerk/ClerkExamEventController.java
index 90b0c00ae..c0f83c350 100644
--- a/backend/vkt/src/main/java/fi/oph/vkt/api/clerk/ClerkExamEventController.java
+++ b/backend/vkt/src/main/java/fi/oph/vkt/api/clerk/ClerkExamEventController.java
@@ -1,5 +1,6 @@
 package fi.oph.vkt.api.clerk;
 
+import static org.springframework.http.HttpStatus.OK;
 import static org.springframework.http.MediaType.APPLICATION_JSON_VALUE;
 
 import fi.oph.vkt.api.dto.clerk.ClerkExamEventCreateDTO;
@@ -9,9 +10,13 @@
 import fi.oph.vkt.service.ClerkExamEventService;
 import io.swagger.v3.oas.annotations.Operation;
 import jakarta.annotation.Resource;
+import jakarta.servlet.http.HttpServletResponse;
 import jakarta.validation.Valid;
 import java.util.List;
+import org.springframework.http.CacheControl;
+import org.springframework.http.HttpHeaders;
 import org.springframework.http.MediaType;
+import org.springframework.http.ResponseEntity;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.PostMapping;
diff --git a/backend/vkt/src/main/java/fi/oph/vkt/config/security/WebSecurityConfig.java b/backend/vkt/src/main/java/fi/oph/vkt/config/security/WebSecurityConfig.java
index 4bca28468..e9fe372cf 100644
--- a/backend/vkt/src/main/java/fi/oph/vkt/config/security/WebSecurityConfig.java
+++ b/backend/vkt/src/main/java/fi/oph/vkt/config/security/WebSecurityConfig.java
@@ -160,6 +160,11 @@ public static HttpSecurity commonConfig(final HttpSecurity httpSecurity) throws
           .permitAll()
           .anyRequest()
           .authenticated()
+      )
+      .headers(httpSecurityHeadersConfigurer ->
+        httpSecurityHeadersConfigurer.contentSecurityPolicy(contentSecurityPolicyConfig ->
+          contentSecurityPolicyConfig.policyDirectives("style-src 'self'; script-src 'self'; form-action 'self'")
+        )
       );
   }
 
diff --git a/backend/vkt/src/main/java/fi/oph/vkt/view/ExamEventXlsxView.java b/backend/vkt/src/main/java/fi/oph/vkt/view/ExamEventXlsxView.java
index 66b2e82d0..c05ca01b2 100644
--- a/backend/vkt/src/main/java/fi/oph/vkt/view/ExamEventXlsxView.java
+++ b/backend/vkt/src/main/java/fi/oph/vkt/view/ExamEventXlsxView.java
@@ -31,6 +31,7 @@ protected void buildExcelDocument(
     final @NonNull HttpServletResponse response
   ) {
     setFilenameHeader(response, String.format("VKT_tilaisuus_%s_%s.xlsx", data.date(), data.language()));
+    response.setHeader("Cache-Control", "no-cache, no-store, private, max-age=0, must-revalidate");
     writeExcel(workbook);
   }