VKT:OTR:AKR(Backend): Security audit fixes. Added cache no-store and CSP policy

backend/akr/src/main/java/fi/oph/akr/api/clerk/StatisticsController.java

@@ -127,6 +127,7 @@ public void getEmailStatisticsByYear(final HttpServletResponse response) throws
   private static void writeHeaders(final HttpServletResponse response, final String filename) {
     response.setContentType(MEDIA_TYPE_XLSX);
     response.addHeader("Content-Disposition", String.format("attachment; filename=\"%s\"", filename));
+    response.setHeader("Cache-Control", "no-cache, no-store, private, max-age=0, must-revalidate");
   }
 
   private void writeContactRequestStatisticsExcel(

backend/akr/src/main/java/fi/oph/akr/config/security/WebSecurityConfig.java

@@ -159,6 +159,11 @@ public static HttpSecurity commonConfig(final HttpSecurity httpSecurity) throws
           .permitAll()
           .anyRequest()
           .authenticated()
+      )
+      .headers(httpSecurityHeadersConfigurer ->
+        httpSecurityHeadersConfigurer.contentSecurityPolicy(contentSecurityPolicyConfig ->
+          contentSecurityPolicyConfig.policyDirectives("style-src 'self'; script-src 'self'; form-action 'self'")
+        )
       );
   }
 

backend/otr/src/main/java/fi/oph/otr/config/security/WebSecurityConfig.java

@@ -159,6 +159,11 @@ public static HttpSecurity commonConfig(final HttpSecurity httpSecurity) throws
           .permitAll()
           .anyRequest()
           .authenticated()
+      )
+      .headers(httpSecurityHeadersConfigurer ->
+        httpSecurityHeadersConfigurer.contentSecurityPolicy(contentSecurityPolicyConfig ->
+          contentSecurityPolicyConfig.policyDirectives("style-src 'self'; script-src 'self'; form-action 'self'")
+        )
       );
   }
 

backend/vkt/src/main/java/fi/oph/vkt/api/clerk/ClerkExamEventController.java

@@ -1,5 +1,6 @@
 package fi.oph.vkt.api.clerk;
 
+import static org.springframework.http.HttpStatus.OK;
 import static org.springframework.http.MediaType.APPLICATION_JSON_VALUE;
 
 import fi.oph.vkt.api.dto.clerk.ClerkExamEventCreateDTO;
@@ -9,9 +10,13 @@
 import fi.oph.vkt.service.ClerkExamEventService;
 import io.swagger.v3.oas.annotations.Operation;
 import jakarta.annotation.Resource;
+import jakarta.servlet.http.HttpServletResponse;
 import jakarta.validation.Valid;
 import java.util.List;
+import org.springframework.http.CacheControl;
+import org.springframework.http.HttpHeaders;
 import org.springframework.http.MediaType;
+import org.springframework.http.ResponseEntity;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.PostMapping;

backend/vkt/src/main/java/fi/oph/vkt/config/security/WebSecurityConfig.java

@@ -160,6 +160,11 @@ public static HttpSecurity commonConfig(final HttpSecurity httpSecurity) throws
           .permitAll()
           .anyRequest()
           .authenticated()
+      )
+      .headers(httpSecurityHeadersConfigurer ->
+        httpSecurityHeadersConfigurer.contentSecurityPolicy(contentSecurityPolicyConfig ->
+          contentSecurityPolicyConfig.policyDirectives("style-src 'self'; script-src 'self'; form-action 'self'")
+        )
       );
   }
 

backend/vkt/src/main/java/fi/oph/vkt/view/ExamEventXlsxView.java

@@ -31,6 +31,7 @@ protected void buildExcelDocument(
     final @NonNull HttpServletResponse response
   ) {
     setFilenameHeader(response, String.format("VKT_tilaisuus_%s_%s.xlsx", data.date(), data.language()));
+    response.setHeader("Cache-Control", "no-cache, no-store, private, max-age=0, must-revalidate");
     writeExcel(workbook);
   }