diff --git a/REFERENCE.md b/REFERENCE.md
index c7b4a84f..68ac1bb0 100644
--- a/REFERENCE.md
+++ b/REFERENCE.md
@@ -218,6 +218,7 @@ The following parameters are available in the `icingaweb2` class:
* [`conf_group`](#-icingaweb2--conf_group)
* [`default_domain`](#-icingaweb2--default_domain)
* [`cookie_path`](#-icingaweb2--cookie_path)
+* [`use_strict_csp`](#-icingaweb2--use_strict_csp)
* [`admin_role`](#-icingaweb2--admin_role)
* [`default_admin_username`](#-icingaweb2--default_admin_username)
* [`default_admin_password`](#-icingaweb2--default_admin_password)
@@ -476,6 +477,14 @@ Path to where cookies are stored.
Default value: `undef`
+##### <a name="-icingaweb2--use_strict_csp"></a>`use_strict_csp`
+
+Data type: `Optional[Boolean]`
+
+Enable the inclusion of Content Security Policy (CSP) headers in application responses.
+
+Default value: `undef`
+
##### <a name="-icingaweb2--admin_role"></a>`admin_role`
Data type: `Variant[Icingaweb2::AdminRole, Boolean[false]]`
diff --git a/manifests/config.pp b/manifests/config.pp
index f8dd6872..16f1cd75 100644
--- a/manifests/config.pp
+++ b/manifests/config.pp
@@ -21,6 +21,8 @@
$cookie_path = $icingaweb2::cookie_path
+ $use_strict_csp = $icingaweb2::use_strict_csp
+
$resources = $icingaweb2::resources
$default_auth_backend = $icingaweb2::default_auth_backend
$user_backends = $icingaweb2::user_backends
@@ -103,6 +105,16 @@
}
}
+ if $use_strict_csp =~ NotUndef {
+ icingaweb2::inisection { 'config-security':
+ section_name => 'security',
+ target => "${conf_dir}/config.ini",
+ settings => {
+ 'use_strict_csp' => $use_strict_csp,
+ },
+ }
+ }
+
# Additional resources
$resources.each |String $res, Hash $cfg| {
case $cfg['type'] {
diff --git a/manifests/init.pp b/manifests/init.pp
index 00949a50..a1016e9b 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -110,6 +110,9 @@
# @param cookie_path
# Path to where cookies are stored.
#
+# @param use_strict_csp
+# Enable the inclusion of Content Security Policy (CSP) headers in application responses.
+#
# @param admin_role
# Manage a role for admin access.
#
@@ -255,6 +258,7 @@
Optional[Array[String[1]]] $extra_packages = undef,
Optional[String[1]] $default_domain = undef,
Optional[Stdlib::Absolutepath] $cookie_path = undef,
+ Optional[Boolean] $use_strict_csp = undef,
) {
require icingaweb2::globals
diff --git a/spec/classes/icingaweb2_spec.rb b/spec/classes/icingaweb2_spec.rb
index 847a28d4..f0159aea 100644
--- a/spec/classes/icingaweb2_spec.rb
+++ b/spec/classes/icingaweb2_spec.rb
@@ -68,6 +68,7 @@
)
}
it { is_expected.not_to contain_icingaweb2__inisection('config-authentication') }
+ it { is_expected.not_to contain_icingaweb2__inisection('config-security') }
it { is_expected.not_to contain_icingaweb2__inisection('config-cookie') }
it {
is_expected.to contain_icingaweb2__resource__database('icingaweb2')
@@ -120,6 +121,38 @@
}
end
+ context "#{os} with use_strict_csp 'true'" do
+ let(:params) do
+ {
+ use_strict_csp: true,
+ db_type: 'mysql',
+ }
+ end
+
+ it {
+ is_expected.to contain_icingaweb2__inisection('config-security')
+ .with_section_name('security')
+ .with_target('/etc/icingaweb2/config.ini')
+ .with_settings({ 'use_strict_csp' => true })
+ }
+ end
+
+ context "#{os} with use_strict_csp 'false'" do
+ let(:params) do
+ {
+ use_strict_csp: false,
+ db_type: 'mysql',
+ }
+ end
+
+ it {
+ is_expected.to contain_icingaweb2__inisection('config-security')
+ .with_section_name('security')
+ .with_target('/etc/icingaweb2/config.ini')
+ .with_settings({ 'use_strict_csp' => false })
+ }
+ end
+
context "#{os} with default_auth_backend 'false', additional resources, user and group backend" do
let(:params) do
{