migrated OwaspStandardFilter to security-filter project
This commit is contained in:
jomu
@ -1,74 +0,0 @@
|
|||||||
package de.muehlencord.shared.jeeutil;
|
|
||||||
|
|
||||||
import java.io.IOException;
|
|
||||||
import javax.servlet.Filter;
|
|
||||||
import javax.servlet.FilterChain;
|
|
||||||
import javax.servlet.FilterConfig;
|
|
||||||
import javax.servlet.ServletException;
|
|
||||||
import javax.servlet.ServletRequest;
|
|
||||||
import javax.servlet.ServletResponse;
|
|
||||||
import javax.servlet.http.HttpServletResponse;
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Filter to suppress ClickJacking and Mime Sniffing by adding header fields
|
|
||||||
*
|
|
||||||
* @author joern@muehlencord.de
|
|
||||||
*/
|
|
||||||
public class OwaspStandardFilter implements Filter {
|
|
||||||
|
|
||||||
/** mode to use */
|
|
||||||
private String mode = "DENY";
|
|
||||||
|
|
||||||
/**
|
|
||||||
* inits the filter. Checks if a parameter "mode" is available in parameter map tp use instead default "DENY"
|
|
||||||
*
|
|
||||||
* @param filterConfig
|
|
||||||
* @throws ServletException
|
|
||||||
*/
|
|
||||||
@Override
|
|
||||||
public void init(FilterConfig filterConfig) throws ServletException {
|
|
||||||
String configMode = filterConfig.getInitParameter("mode");
|
|
||||||
if (configMode != null) {
|
|
||||||
mode = configMode;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
*
|
|
||||||
* @param request
|
|
||||||
* @param response
|
|
||||||
* @param chain
|
|
||||||
* @throws IOException
|
|
||||||
* @throws ServletException
|
|
||||||
*/
|
|
||||||
@Override
|
|
||||||
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
|
|
||||||
HttpServletResponse res = (HttpServletResponse) response;
|
|
||||||
// X-FRAME-OPTIONS: Clickjacking protection: "deny" - no rendering within a frame, "sameorigin" - no rendering if origin mismatch
|
|
||||||
res.addHeader("X-FRAME-OPTIONS", mode);
|
|
||||||
|
|
||||||
// Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.
|
|
||||||
res.addHeader("X-XSS-Protection", "1");
|
|
||||||
|
|
||||||
// X-Content-Type-Options the only defined value, "nosniff",
|
|
||||||
// The only defined value, "nosniff", prevents Internet Explorer from MIME-sniffing a response away from the declared content-type.
|
|
||||||
// This also applies to Google Chrome, when downloading extensions.
|
|
||||||
res.addHeader("X-Content-Type-Options", "nosniff");
|
|
||||||
|
|
||||||
// disableing caching by Pragma setting
|
|
||||||
res.addHeader("Pragma", "no-cache");
|
|
||||||
|
|
||||||
// disabling caching by Cache-control settings
|
|
||||||
res.addHeader("Cache-control", "no-cache, no-store, must-revalidate, private");
|
|
||||||
|
|
||||||
chain.doFilter(request, response);
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* destroys the filter
|
|
||||||
*/
|
|
||||||
@Override
|
|
||||||
public void destroy() {
|
|
||||||
// nothing todo here
|
|
||||||
}
|
|
||||||
}
|
|
||||||
Reference in New Issue
Block a user