Spring Security SecureHeaders adds content-security-policy by default

The filter SecureHeaders adds a content-security-policy header. This is contrary to the documentation saying "Spring Security does not add by default It's also not documented, how do disable it (from config).

To Reproduce Start a Webserver serving come content. Add SecureHeaders filter to a route to that webserver check the response headers.

webserver.url: "http://localhost:8080"
spring:
  cloud:
    gateway:
      routes:
        - id: webserver
          uri: ${webserver.url}
          predicates:
            - Path=/**
            - Method=GET
          filters:
            - SecureHeaders

Expected behavior The response doesn't contain content-security-policy

Sample https://github.com/robert-gdv/issue-spring-csp-header

Comment From: sjohnr

Hi @robert-gdv, thanks for reaching out!

The SecureHeaders filter you are referencing here is from Spring Cloud Gateway which is not part of Spring Security. Glancing at the docs, it appears SCG does add this header and documents that it does so. I would recommend reaching out on that project's issues if you believe this is a problem for SCG applications.