diff --git a/jeeutil/pom.xml b/jeeutil/pom.xml
index a229e03..43dbec1 100644
--- a/jeeutil/pom.xml
+++ b/jeeutil/pom.xml
@@ -10,7 +10,7 @@
de.muehlencord.app
shared-jeeutil
1.0-SNAPSHOT
- ejb
+ jar
shared-jeeutil
diff --git a/jeeutil/src/main/java/de/muehlencord/shared/jeeutil/OwaspStandardFilter.java b/jeeutil/src/main/java/de/muehlencord/shared/jeeutil/OwaspStandardFilter.java
new file mode 100644
index 0000000..ff3d46b
--- /dev/null
+++ b/jeeutil/src/main/java/de/muehlencord/shared/jeeutil/OwaspStandardFilter.java
@@ -0,0 +1,64 @@
+package de.muehlencord.shared.jeeutil;
+
+import java.io.IOException;
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletResponse;
+
+/**
+ * Filter to suppress ClickJacking and Mime Sniffing by adding header fields
+ *
+ * @author joern@muehlencord.de
+ */
+public class OwaspStandardFilter implements Filter {
+
+ /** mode to use */
+ private String mode = "DENY";
+
+ /**
+ * inits the filter. Checks if a parameter "mode" is available in parameter map tp use instead default "DENY"
+ *
+ * @param filterConfig
+ * @throws ServletException
+ */
+ @Override
+ public void init(FilterConfig filterConfig) throws ServletException {
+ String configMode = filterConfig.getInitParameter("mode");
+ if (configMode != null) {
+ mode = configMode;
+ }
+ }
+
+ /**
+ *
+ * @param request
+ * @param response
+ * @param chain
+ * @throws IOException
+ * @throws ServletException
+ */
+ @Override
+ public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
+ HttpServletResponse res = (HttpServletResponse) response;
+ // X-FRAME-OPTIONS: Clickjacking protection: "deny" - no rendering within a frame, "sameorigin" - no rendering if origin mismatch
+ res.addHeader("X-FRAME-OPTIONS", mode);
+
+ // X-Content-Type-Options the only defined value, "nosniff",
+ // The only defined value, "nosniff", prevents Internet Explorer from MIME-sniffing a response away from the declared content-type.
+ // This also applies to Google Chrome, when downloading extensions.
+ res.addHeader("X-Content-Type-Options", "nosniff");
+ chain.doFilter(request, response);
+ }
+
+ /**
+ * destroys the filter
+ */
+ @Override
+ public void destroy() {
+ // nothing todo here
+ }
+}