List of usage examples for com.google.common.net HttpHeaders X_FRAME_OPTIONS
String X_FRAME_OPTIONS
To view the source code for com.google.common.net HttpHeaders X_FRAME_OPTIONS.
Click Source Link
From source file:keywhiz.service.filters.SecurityHeadersFilter.java
@Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { if (response instanceof HttpServletResponse) { HttpServletResponse r = (HttpServletResponse) response; // Defense against XSS. We don't care about IE's Content-Security-Policy because it's useless r.addHeader("X-Content-Security-Policy", "default-src 'self'"); r.addHeader(HttpHeaders.X_XSS_PROTECTION, "0"); // With CSP, we don't need crazy magic // Tell IE not to do silly things r.addHeader(HttpHeaders.X_CONTENT_TYPE_OPTIONS, "nosniff"); // Protection against click jacking r.addHeader("Frame-Options", "DENY"); // Who uses this? r.addHeader(HttpHeaders.X_FRAME_OPTIONS, "DENY"); // https-all-the-time r.addHeader(HttpHeaders.STRICT_TRANSPORT_SECURITY, format("max-age=%d; includeSubDomains", YEAR_OF_SECONDS)); }//from w w w . j a va2 s .c o m chain.doFilter(request, response); }
From source file:com.google.testing.security.firingrange.tests.reverseclickjacking.UniversalReverseClickjackingMultiPage.java
@Override public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException { String headerOptions, parameterLocation, template; try {/*from w w w . jav a 2 s . co m*/ parameterLocation = Splitter.on('/').splitToList(request.getPathInfo()).get(2); headerOptions = Splitter.on('/').splitToList(request.getPathInfo()).get(3); } catch (IndexOutOfBoundsException e) { // Either the parameter location or the X-Frame-Options is not set. Responses.sendError(response, "Please specify the location of the vulnerable parameter and the preference for the" + " X-Frame-Option header.", 400); return; } String vulnerableParameter = Strings.nullToEmpty(request.getParameter(VULNERABLE_PARAMETER)); // Encode URL to prevent XSS vulnerableParameter = urlFormParameterEscaper().escape(vulnerableParameter); switch (parameterLocation) { case "ParameterInQuery": template = Templates.getTemplate("jsonly_in_query.tmpl", getClass()); template = Templates.replacePayload(template, vulnerableParameter); break; case "ParameterInFragment": template = Templates.getTemplate("jsonly_in_fragment.tmpl", getClass()); break; default: Responses.sendError(response, "Invalid location of the vulnerable parameter.", 400); return; } switch (headerOptions) { case "WithXFO": response.setHeader(HttpHeaders.X_FRAME_OPTIONS, "DENY"); break; case "WithoutXFO": break; default: Responses.sendError(response, "Invalid preference for the X-Frame-Option header.", 400); return; } Responses.sendXssed(response, template); }