Example usage for com.google.common.net HttpHeaders X_FRAME_OPTIONS

Introduction

In this page you can find the example usage for com.google.common.net HttpHeaders X_FRAME_OPTIONS.

Prototype

String X_FRAME_OPTIONS

To view the source code for com.google.common.net HttpHeaders X_FRAME_OPTIONS.

Click Source Link

Document

The HTTP X-Frame-Options header field name.

Usage

From source file:keywhiz.service.filters.SecurityHeadersFilter.java

@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
        throws IOException, ServletException {
    if (response instanceof HttpServletResponse) {
        HttpServletResponse r = (HttpServletResponse) response;

        // Defense against XSS. We don't care about IE's Content-Security-Policy because it's useless
        r.addHeader("X-Content-Security-Policy", "default-src 'self'");
        r.addHeader(HttpHeaders.X_XSS_PROTECTION, "0"); // With CSP, we don't need crazy magic

        // Tell IE not to do silly things
        r.addHeader(HttpHeaders.X_CONTENT_TYPE_OPTIONS, "nosniff");

        // Protection against click jacking
        r.addHeader("Frame-Options", "DENY"); // Who uses this?
        r.addHeader(HttpHeaders.X_FRAME_OPTIONS, "DENY");

        // https-all-the-time
        r.addHeader(HttpHeaders.STRICT_TRANSPORT_SECURITY,
                format("max-age=%d; includeSubDomains", YEAR_OF_SECONDS));
    }//from  w  w  w . j  a  va2 s  .c  o m
    chain.doFilter(request, response);
}

---

From source file:com.google.testing.security.firingrange.tests.reverseclickjacking.UniversalReverseClickjackingMultiPage.java

@Override
public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
    String headerOptions, parameterLocation, template;

    try {/*from w  w  w  . jav a 2  s  .  co  m*/
        parameterLocation = Splitter.on('/').splitToList(request.getPathInfo()).get(2);
        headerOptions = Splitter.on('/').splitToList(request.getPathInfo()).get(3);
    } catch (IndexOutOfBoundsException e) {
        // Either the parameter location or the X-Frame-Options is not set.
        Responses.sendError(response,
                "Please specify the location of the vulnerable parameter and the preference for the"
                        + " X-Frame-Option header.",
                400);
        return;
    }

    String vulnerableParameter = Strings.nullToEmpty(request.getParameter(VULNERABLE_PARAMETER));
    // Encode URL to prevent XSS
    vulnerableParameter = urlFormParameterEscaper().escape(vulnerableParameter);

    switch (parameterLocation) {
    case "ParameterInQuery":
        template = Templates.getTemplate("jsonly_in_query.tmpl", getClass());
        template = Templates.replacePayload(template, vulnerableParameter);
        break;
    case "ParameterInFragment":
        template = Templates.getTemplate("jsonly_in_fragment.tmpl", getClass());
        break;
    default:
        Responses.sendError(response, "Invalid location of the vulnerable parameter.", 400);
        return;
    }

    switch (headerOptions) {
    case "WithXFO":
        response.setHeader(HttpHeaders.X_FRAME_OPTIONS, "DENY");
        break;
    case "WithoutXFO":
        break;
    default:
        Responses.sendError(response, "Invalid preference for the X-Frame-Option header.", 400);
        return;
    }

    Responses.sendXssed(response, template);
}

---