Icinga · TheSyscall · May 15, 2025 · May 19, 2025 · Mar 12, 2026 · Aug 25, 2025
diff --git a/application/controllers/ConfigController.php b/application/controllers/ConfigController.php
@@ -6,6 +6,7 @@
 namespace Icinga\Controllers;
 
 use Exception;
+use GuzzleHttp\Psr7\ServerRequest;
 use Icinga\Application\Version;
 use InvalidArgumentException;
 use Icinga\Application\Config;
@@ -17,6 +18,7 @@
 use Icinga\Forms\ActionForm;
 use Icinga\Forms\Config\GeneralConfigForm;
 use Icinga\Forms\Config\ResourceConfigForm;
+use Icinga\Forms\Config\Security\CspConfigForm;
 use Icinga\Forms\Config\UserBackendConfigForm;
 use Icinga\Forms\Config\UserBackendReorderForm;
 use Icinga\Forms\ConfirmRemovalForm;
@@ -25,6 +27,7 @@
 use Icinga\Web\Notification;
 use Icinga\Web\Url;
 use Icinga\Web\Widget;
+use ipl\Html\Contract\Form as ContractForm;
 
 /**
  * Application and module configuration
@@ -45,6 +48,14 @@ public function createApplicationTabs()
                 'baseTarget' => '_main'
             ));
         }
+        if ($this->hasPermission('config/security')) {
+            $tabs->add('security', array(
+                'title' => $this->translate('Adjust the security configuration of Icinga Web 2'),
+                'label' => $this->translate('Security'),
+                'url'   => 'config/security',
+                'baseTarget' => '_main'
+            ));
+        }
         if ($this->hasPermission('config/resources')) {
             $tabs->add('resource', array(
                 'title' => $this->translate('Configure which resources are being utilized by Icinga Web 2'),
@@ -79,6 +90,8 @@ public function indexAction()
     {
         if ($this->hasPermission('config/general')) {
             $this->redirectNow('config/general');
+        } elseif ($this->hasPermission('config/security')) {
+            $this->redirectNow('config/security');
         } elseif ($this->hasPermission('config/resources')) {
             $this->redirectNow('config/resource');
         } elseif ($this->hasPermission('config/access-control/*')) {
@@ -96,24 +109,50 @@ public function indexAction()
     public function generalAction()
     {
         $this->assertPermission('config/general');
+
+        $this->view->title = $this->translate('General');
+
         $form = new GeneralConfigForm();
         $form->setIniConfig(Config::app());
-        $form->setOnSuccess(function (GeneralConfigForm $form) {
-            $config = Config::app();
-            $useStrictCsp = (bool) $config->get('security', 'use_strict_csp', false);
-            if ($form->onSuccess() === false) {
-                return false;
-            }
+        $form->handleRequest();
+
+        $this->view->form = $form;
 
-            $appConfigForm = $form->getSubForm('form_config_general_application');
-            if ($appConfigForm && (bool) $appConfigForm->getValue('security_use_strict_csp') !== $useStrictCsp) {
+        $this->createApplicationTabs()->activate('general');
+    }
+
+    /**
+     * Security configuration
+     *
+     * @throws SecurityException If the user lacks the permission for configuring the security configuration
+     */
+    public function securityAction(): void
+    {
+        $this->assertPermission('config/security');
+
+        $this->view->title = $this->translate('Security');
+
+        $config = Config::app();
+        $cspForm = new CspConfigForm($config);
+        $cspForm->populate([
+            'use_strict_csp' => $config->get('security', 'use_strict_csp', '0'),
+            'use_custom_csp' => $config->get('security', 'use_custom_csp', '0'),
+            'custom_csp' => $config->get('security', 'custom_csp', ''),
+            'csp_enable_modules' => $config->get('security', 'csp_enable_modules', '1'),
+            'csp_enable_dashboards' => $config->get('security', 'csp_enable_dashboards', '1'),
+            'csp_enable_navigation' => $config->get('security', 'csp_enable_navigation', '1'),
+        ]);
+
+        $cspForm->on(ContractForm::ON_SUBMIT, function (CspConfigForm $form) {
+            if ($form->hasConfigChanged()) {
                 $this->getResponse()->setReloadWindow(true);
             }
-        })->handleRequest();
+            Notification::success($this->translate('Content-Security-Policy updated'));
+        });
+        $cspForm->handleRequest(ServerRequest::fromGlobals());
+        $this->view->cspForm = $cspForm;
 
-        $this->view->form = $form;
-        $this->view->title = $this->translate('General');
-        $this->createApplicationTabs()->activate('general');
+        $this->createApplicationTabs()->activate('security');
     }
 
     /**

diff --git a/application/forms/Config/General/ApplicationConfigForm.php b/application/forms/Config/General/ApplicationConfigForm.php
@@ -57,18 +57,6 @@ public function createElements(array $formData)
             )
         );
 
-        $this->addElement(
-            'checkbox',
-            'security_use_strict_csp',
-            [
-                'label'         => $this->translate('Enable strict content security policy'),
-                'description'   => $this->translate(
-                    'Set whether to use strict content security policy (CSP).'
-                    . ' This setting helps to protect from cross-site scripting (XSS).'
-                )
-            ]
-        );
-
         $this->addElement(
             'text',
             'global_module_path',