OTR:AKR(Backend): Security audit fixes. Added cache no-store and CSP …

…policy

backend/akr/src/main/java/fi/oph/akr/api/clerk/StatisticsController.java

@@ -127,6 +127,7 @@ public void getEmailStatisticsByYear(final HttpServletResponse response) throws
   private static void writeHeaders(final HttpServletResponse response, final String filename) {
     response.setContentType(MEDIA_TYPE_XLSX);
     response.addHeader("Content-Disposition", String.format("attachment; filename=\"%s\"", filename));
+    response.setHeader("Cache-Control", "no-cache, no-store, private, max-age=0, must-revalidate");
   }
 
   private void writeContactRequestStatisticsExcel(

backend/akr/src/main/java/fi/oph/akr/config/security/WebSecurityConfig.java

@@ -159,6 +159,11 @@ public static HttpSecurity commonConfig(final HttpSecurity httpSecurity) throws
           .permitAll()
           .anyRequest()
           .authenticated()
+      )
+      .headers(httpSecurityHeadersConfigurer ->
+        httpSecurityHeadersConfigurer.contentSecurityPolicy(contentSecurityPolicyConfig ->
+          contentSecurityPolicyConfig.policyDirectives("style-src 'self'; script-src 'self'; form-action 'self'")
+        )
       );
   }
 

backend/otr/src/main/java/fi/oph/otr/config/security/WebSecurityConfig.java

@@ -159,6 +159,11 @@ public static HttpSecurity commonConfig(final HttpSecurity httpSecurity) throws
           .permitAll()
           .anyRequest()
           .authenticated()
+      )
+      .headers(httpSecurityHeadersConfigurer ->
+        httpSecurityHeadersConfigurer.contentSecurityPolicy(contentSecurityPolicyConfig ->
+          contentSecurityPolicyConfig.policyDirectives("style-src 'self'; script-src 'self'; form-action 'self'")
+        )
       );
   }