List of usage examples for com.google.common.net HttpHeaders X_XSS_PROTECTION
String X_XSS_PROTECTION
To view the source code for com.google.common.net HttpHeaders X_XSS_PROTECTION.
Click Source Link
From source file:com.google.testing.security.firingrange.utils.Responses.java
/** * Sends an XSS response of a given type. *///from w w w . j a v a 2 s .c o m public static void sendXssed(HttpServletResponse response, String body, String contentType) throws IOException { response.setHeader(HttpHeaders.X_XSS_PROTECTION, "0"); response.setHeader(HttpHeaders.CACHE_CONTROL, "no-cache, no-store, must-revalidate"); response.setHeader(HttpHeaders.PRAGMA, "no-cache"); response.setDateHeader(HttpHeaders.EXPIRES, 0); response.setHeader(HttpHeaders.CONTENT_TYPE, contentType); response.setStatus(200); response.getWriter().write(body); }
From source file:keywhiz.service.filters.SecurityHeadersFilter.java
@Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { if (response instanceof HttpServletResponse) { HttpServletResponse r = (HttpServletResponse) response; // Defense against XSS. We don't care about IE's Content-Security-Policy because it's useless r.addHeader("X-Content-Security-Policy", "default-src 'self'"); r.addHeader(HttpHeaders.X_XSS_PROTECTION, "0"); // With CSP, we don't need crazy magic // Tell IE not to do silly things r.addHeader(HttpHeaders.X_CONTENT_TYPE_OPTIONS, "nosniff"); // Protection against click jacking r.addHeader("Frame-Options", "DENY"); // Who uses this? r.addHeader(HttpHeaders.X_FRAME_OPTIONS, "DENY"); // https-all-the-time r.addHeader(HttpHeaders.STRICT_TRANSPORT_SECURITY, format("max-age=%d; includeSubDomains", YEAR_OF_SECONDS)); }// w w w.j a v a2 s. c o m chain.doFilter(request, response); }