keywhiz.service.filters.SecurityHeadersFilter.java Source code

Java tutorial

  1. HOME
  2. Java
  3. keywhiz.service.filters.SecurityHeadersFilter.java

Introduction

Here is the source code for keywhiz.service.filters.SecurityHeadersFilter.java

Source

/*
 * Copyright (C) 2015 Square, Inc.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package keywhiz.service.filters;

import com.google.common.net.HttpHeaders;
import java.io.IOException;
import java.util.concurrent.TimeUnit;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletResponse;

import static java.lang.String.format;

/**
 * Sets a variety of web security headers in every response.
 *
 * Included:
 *   Content Security Policy (CSP): http://www.w3.org/TR/CSP/
 *   Frame-Options: http://tools.ietf.org/html/draft-ietf-websec-frame-options-00,
 *                  http://tools.ietf.org/html/draft-ietf-websec-x-frame-options-01
 *   HTTP Strict Transport Security: http://tools.ietf.org/html/draft-ietf-websec-strict-transport-sec-14
 *   IE X-Content-Type-Options: http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx
 *   IE X-XSS-Protection: http://blogs.msdn.com/b/ie/archive/2008/07/02/ie8-security-part-iv-the-xss-filter.aspx
 */
public class SecurityHeadersFilter implements Filter {
    private static final long YEAR_OF_SECONDS = TimeUnit.SECONDS.convert(365, TimeUnit.DAYS);

    @Override
    public void init(FilterConfig filterConfig) throws ServletException {
    }

    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
            throws IOException, ServletException {
        if (response instanceof HttpServletResponse) {
            HttpServletResponse r = (HttpServletResponse) response;

            // Defense against XSS. We don't care about IE's Content-Security-Policy because it's useless
            r.addHeader("X-Content-Security-Policy", "default-src 'self'");
            r.addHeader(HttpHeaders.X_XSS_PROTECTION, "0"); // With CSP, we don't need crazy magic

            // Tell IE not to do silly things
            r.addHeader(HttpHeaders.X_CONTENT_TYPE_OPTIONS, "nosniff");

            // Protection against click jacking
            r.addHeader("Frame-Options", "DENY"); // Who uses this?
            r.addHeader(HttpHeaders.X_FRAME_OPTIONS, "DENY");

            // https-all-the-time
            r.addHeader(HttpHeaders.STRICT_TRANSPORT_SECURITY,
                    format("max-age=%d; includeSubDomains", YEAR_OF_SECONDS));
        }
        chain.doFilter(request, response);
    }

    @Override
    public void destroy() {
    }
}