Example usage for com.google.common.net HttpHeaders STRICT_TRANSPORT_SECURITY

List of usage examples for com.google.common.net HttpHeaders STRICT_TRANSPORT_SECURITY

  1. HOME
  2. Java
  3. com.google.common
  4. com.google.common.net.*
  5. HttpHeaders
  6. STRICT_TRANSPORT_SECURITY

Introduction

In this page you can find the example usage for com.google.common.net HttpHeaders STRICT_TRANSPORT_SECURITY.

Prototype

String STRICT_TRANSPORT_SECURITY

To view the source code for com.google.common.net HttpHeaders STRICT_TRANSPORT_SECURITY.

Click Source Link

Document

The HTTP <a href="http://tools.ietf.org/html/rfc6797#section-6.1"> Strict-Transport-Security </a> header field name.

Usage

From source file:keywhiz.service.filters.SecurityHeadersFilter.java

@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
        throws IOException, ServletException {
    if (response instanceof HttpServletResponse) {
        HttpServletResponse r = (HttpServletResponse) response;

        // Defense against XSS. We don't care about IE's Content-Security-Policy because it's useless
        r.addHeader("X-Content-Security-Policy", "default-src 'self'");
        r.addHeader(HttpHeaders.X_XSS_PROTECTION, "0"); // With CSP, we don't need crazy magic

        // Tell IE not to do silly things
        r.addHeader(HttpHeaders.X_CONTENT_TYPE_OPTIONS, "nosniff");

        // Protection against click jacking
        r.addHeader("Frame-Options", "DENY"); // Who uses this?
        r.addHeader(HttpHeaders.X_FRAME_OPTIONS, "DENY");

        // https-all-the-time
        r.addHeader(HttpHeaders.STRICT_TRANSPORT_SECURITY,
                format("max-age=%d; includeSubDomains", YEAR_OF_SECONDS));
    }/*from   www  .  j ava 2 s  . c o  m*/
    chain.doFilter(request, response);
}