JavaMelody is a web based monitoring tool frequently run in production environments, providing insights including CPU usage, hot spots in code, database connection pool utilization, and more. I’m always on the lookout for ways to improve security, so when a security scan pointed out that the JavaMelody web interface didn’t have a Content Security Policy (CSP), it got my attention. I immediately started on contributing support for CSP to JavaMelody. After 8 months, JavaMelody 1.88.0 was released in July 2021 including a strict CSP, improving the security posture of all JavaMelody users.
What is JavaMelody
JavaMelody is monitoring tool for Java applications intended for use in development as well as production environments. Since it can and frequently does run in production, JavaMelody is security sensitive. Therefore, it really should have a CSP to ensure its continuous, secure operation. Yet, until I started upon the effort, JavaMelody had no CSP in place at all, nevermind a strict one.
What is Content Security Policy (CSP)
Content Security Policy (CSP) is a W3C standard introduced to prevent cross-site scripting (XSS), clickjacking, and other code injection attacks resulting from execution of malicious content. As such, a strict, secure CSP is increasingly required and expected, especially by customers in security sensitive industries such as defense and financial services.
Contributing CSP Support to JavaMelody
I started in my effort to implement a strict CSP in JavaMelody in November 2020. My initial pull request to JavaMelody took me a number of days to prepare, then months of back and forth to get accepted, due to a few challenges:
- JavaMelody doesn’t use a templating system; it constructs HTML using string concatenation.
- JavaMelody uses obsolete and unsupported libraries that are no longer maintained, such as prototype.js (CSP related fix), scriptaculous, and lightwindow.js (CSP related fix). JavaMelody is an old project!
- JavaMelody has a significant amount of inline CSS and JavaScript in the HTML (which is not permitted by a strict script-src CSP configuration).
- JavaMelody has no front end tests. There is no automated testing of the CSS, JS, or HTML – all testing must be done by manually running JavaMelody and browsing to see if it’s working as expected.
- The comments and some of the names are in French. I used Google Translate. A lot.
I’m certainly not blaming JavaMelody entirely; some fault for the unexpected long duration of this effort inevitably lies with myself. For example, I made a number of typos and other mistakes resulting in errors that I didn’t catch. Thankfully, the JavaMelody maintainer was able to catch and (sometimes on his own, sometimes with me) fix those issues. This effort is another example of the importance of automated as well as manual testing.
The CSP I implemented is:
Content-Security-Policy: default-src 'self', object-src: 'none'
Which means that all inline CSS and JS must be externalized. Given the aforementioned challenges, that was a substantial effort. And in the process, many subtle issues were introduced, some inevitable introduced by typos. The maintainer of JavaMelody was also oftentimes slow to respond, so the effort took a great deal of patience, as months sometimes lapsed between reviews.
However, after 8 months, CSP support was finally included and enabled by default in the JavaMelody 1.88.0 release made in July, 2021!
In the end, I’m glad to have made this contribution to JavaMelody and I hope the community enjoys the additional security benefits it provides.
Closing Thoughts
- At 8 months, this is one of the longest duration contributions I’ve worked on.
- I almost gave up a number of times, hitting a low point in June 2021. I’m glad to have persisted and completed the effort.
- Thank you to evernat, the JavaMelody maintainer, for his patience and for continuing to work with me throughout this process.
Contributing Improved Security to JavaMelody with Content Security Policy by Craig Andrews is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
