From 613b047aa9a5326c272fd0d07441bc070e0ddf79 Mon Sep 17 00:00:00 2001 From: jomu Date: Mon, 17 Apr 2017 16:52:39 +0000 Subject: [PATCH] migrated OwaspStandardFilter to security-filter project --- .../shared/jeeutil/OwaspStandardFilter.java | 74 ------------------- 1 file changed, 74 deletions(-) delete mode 100644 jeeutil/src/main/java/de/muehlencord/shared/jeeutil/OwaspStandardFilter.java diff --git a/jeeutil/src/main/java/de/muehlencord/shared/jeeutil/OwaspStandardFilter.java b/jeeutil/src/main/java/de/muehlencord/shared/jeeutil/OwaspStandardFilter.java deleted file mode 100644 index ad7ec53..0000000 --- a/jeeutil/src/main/java/de/muehlencord/shared/jeeutil/OwaspStandardFilter.java +++ /dev/null @@ -1,74 +0,0 @@ -package de.muehlencord.shared.jeeutil; - -import java.io.IOException; -import javax.servlet.Filter; -import javax.servlet.FilterChain; -import javax.servlet.FilterConfig; -import javax.servlet.ServletException; -import javax.servlet.ServletRequest; -import javax.servlet.ServletResponse; -import javax.servlet.http.HttpServletResponse; - -/** - * Filter to suppress ClickJacking and Mime Sniffing by adding header fields - * - * @author joern@muehlencord.de - */ -public class OwaspStandardFilter implements Filter { - - /** mode to use */ - private String mode = "DENY"; - - /** - * inits the filter. Checks if a parameter "mode" is available in parameter map tp use instead default "DENY" - * - * @param filterConfig - * @throws ServletException - */ - @Override - public void init(FilterConfig filterConfig) throws ServletException { - String configMode = filterConfig.getInitParameter("mode"); - if (configMode != null) { - mode = configMode; - } - } - - /** - * - * @param request - * @param response - * @param chain - * @throws IOException - * @throws ServletException - */ - @Override - public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { - HttpServletResponse res = (HttpServletResponse) response; - // X-FRAME-OPTIONS: Clickjacking protection: "deny" - no rendering within a frame, "sameorigin" - no rendering if origin mismatch - res.addHeader("X-FRAME-OPTIONS", mode); - - // Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'. - res.addHeader("X-XSS-Protection", "1"); - - // X-Content-Type-Options the only defined value, "nosniff", - // The only defined value, "nosniff", prevents Internet Explorer from MIME-sniffing a response away from the declared content-type. - // This also applies to Google Chrome, when downloading extensions. - res.addHeader("X-Content-Type-Options", "nosniff"); - - // disableing caching by Pragma setting - res.addHeader("Pragma", "no-cache"); - - // disabling caching by Cache-control settings - res.addHeader("Cache-control", "no-cache, no-store, must-revalidate, private"); - - chain.doFilter(request, response); - } - - /** - * destroys the filter - */ - @Override - public void destroy() { - // nothing todo here - } -}