GitHubkshcode/StubbornJavaPublic

forked fromStubbornJava/StubbornJava

NotificationsYou must be signed in to change notification settings
Fork0
Star0

Commitf178eb4

billoneil

authored

F/security headers (StubbornJava#61)

* Security headers!

1 parent2fadca0 commitf178eb4Copy full SHA for f178eb4

File tree

8 files changed

+144

-4

lines changed

stubbornjava-common/src/main/java/com/stubbornjava/common/undertow/handlers
- CustomHandlers.java
- Middleware.java
stubbornjava-undertow/src/main/java/com/stubbornjava/undertow/handlers
stubbornjava-webapp/src/main/java/com/stubbornjava/webapp
- StubbornJavaWebApp.java

8 files changed

+144

-4

lines changed

`‎stubbornjava-common/src/main/java/com/stubbornjava/common/undertow/handlers/CustomHandlers.java‎`

Lines changed: 22 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -14,6 +14,13 @@`
`14`	`14`	`importcom.stubbornjava.common.HealthChecks;`
`15`	`15`	`importcom.stubbornjava.common.Metrics;`
`16`	`16`	`importcom.stubbornjava.common.undertow.Exchange;`
	`17`	`+importcom.stubbornjava.undertow.handlers.MiddlewareBuilder;`
	`18`	`+importcom.stubbornjava.undertow.handlers.ReferrerPolicyHandlers;`
	`19`	`+importcom.stubbornjava.undertow.handlers.ReferrerPolicyHandlers.ReferrerPolicy;`
	`20`	`+importcom.stubbornjava.undertow.handlers.StrictTransportSecurityHandlers;`
	`21`	`+importcom.stubbornjava.undertow.handlers.XContentTypeOptionsHandler;`
	`22`	`+importcom.stubbornjava.undertow.handlers.XFrameOptionsHandlers;`
	`23`	`+importcom.stubbornjava.undertow.handlers.XXssProtectionHandlers;`
`17`	`24`	`importcom.stubbornjava.undertow.handlers.accesslog.Slf4jAccessLogReceiver;`
`18`	`25`
`19`	`26`	`importio.undertow.Handlers;`
`@@ -144,4 +151,19 @@ public static HttpHandler loadBalancerHttpToHttps(HttpHandler next) {`
`144`	`151`	`next.handleRequest(exchange);`
`145`	`152`	`};`
`146`	`153`	`}`
	`154`	`+`
	`155`	`+publicstaticHttpHandlersecurityHeaders(HttpHandlernext,ReferrerPolicypolicy) {`
	`156`	`+MiddlewareBuildersecurity =MiddlewareBuilder`
	`157`	`+ .begin(XFrameOptionsHandlers::deny)`
	`158`	`+ .next(XXssProtectionHandlers::enableAndBlock)`
	`159`	`+ .next(XContentTypeOptionsHandler::nosniff)`
	`160`	`+ .next(handler ->ReferrerPolicyHandlers.policy(handler,policy));`
	`161`	`+`
	`162`	`+// TODO: Only add HSTS if we are not local. We should probably`
	`163`	`+// use a self signed cert locally for a better test env`
	`164`	`+if (Env.LOCAL !=Env.get()) {`
	`165`	`+security =security.next(handler ->StrictTransportSecurityHandlers.hstsIncludeSubdomains(handler,31536000L));`
	`166`	`+ }`
	`167`	`+returnsecurity.complete(next);`
	`168`	`+ }`
`147`	`169`	`}`

`‎stubbornjava-common/src/main/java/com/stubbornjava/common/undertow/handlers/Middleware.java‎`

Lines changed: 3 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -1,15 +1,17 @@`
`1`	`1`	`packagecom.stubbornjava.common.undertow.handlers;`
`2`	`2`
`3`	`3`	`importcom.stubbornjava.undertow.handlers.MiddlewareBuilder;`
	`4`	`+importcom.stubbornjava.undertow.handlers.ReferrerPolicyHandlers.ReferrerPolicy;`
`4`	`5`
`5`	`6`	`importio.undertow.server.HttpHandler;`
`6`	`7`	`importio.undertow.server.handlers.BlockingHandler;`
`7`	`8`
`8`	`9`	`publicclassMiddleware {`
`9`	`10`
`10`	`11`	`publicstaticHttpHandlercommon(HttpHandlerroot) {`
`11`		`-returnMiddlewareBuilder.begin(BlockingHandler::new)`
	`12`	`+returnMiddlewareBuilder.begin(handler ->CustomHandlers.securityHeaders(handler,ReferrerPolicy.STRICT_ORIGIN_WHEN_CROSS_ORIGIN))`
`12`	`13`	`.next(CustomHandlers::gzip)`
	`14`	`+ .next(BlockingHandler::new)`
`13`	`15`	`.next(CustomHandlers::accessLog)`
`14`	`16`	`.next(CustomHandlers::statusCodeMetrics)`
`15`	`17`	`.complete(root);`

`‎stubbornjava-undertow/src/main/java/com/stubbornjava/undertow/handlers/ReferrerPolicyHandlers.java‎`

Lines changed: 32 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,32 @@`
	`1`	`+packagecom.stubbornjava.undertow.handlers;`
	`2`	`+`
	`3`	`+importio.undertow.server.HttpHandler;`
	`4`	`+importio.undertow.server.handlers.SetHeaderHandler;`
	`5`	`+`
	`6`	`+publicclassReferrerPolicyHandlers {`
	`7`	`+privatestaticfinalStringREFERRER_POLICY_STRING ="Referrer-Policy";`
	`8`	`+`
	`9`	`+// See https://scotthelme.co.uk/a-new-security-header-referrer-policy/`
	`10`	`+publicenumReferrerPolicy {`
	`11`	`+EMPTY(""),`
	`12`	`+NO_REFERRER("no-referrer"),`
	`13`	`+NO_REFERRER_WHEN_DOWNGRADE("no-referrer-when-downgrade"),`
	`14`	`+SAME_ORIGIN("same-origin"),`
	`15`	`+ORIGIN("origin"),`
	`16`	`+STRICT_ORIGIN("strict-origin"),`
	`17`	`+ORIGIN_WHEN_CROSS_ORIGIN("origin-when-cross-origin"),`
	`18`	`+STRICT_ORIGIN_WHEN_CROSS_ORIGIN("strict-origin-when-cross-origin"),`
	`19`	`+UNSAFE_URL("unsafe-url");`
	`20`	`+`
	`21`	`+privatefinalStringvalue;`
	`22`	`+ReferrerPolicy(Stringvalue) {`
	`23`	`+this.value =value;`
	`24`	`+ }`
	`25`	`+publicStringgetValue() {`
	`26`	`+returnvalue;`
	`27`	`+ }`
	`28`	`+ };`
	`29`	`+publicstaticHttpHandlerpolicy(HttpHandlernext,ReferrerPolicypolicy) {`
	`30`	`+returnnewSetHeaderHandler(next,REFERRER_POLICY_STRING,policy.getValue());`
	`31`	`+ }`
	`32`	`+}`

`‎stubbornjava-undertow/src/main/java/com/stubbornjava/undertow/handlers/StrictTransportSecurityHandlers.java‎`

Lines changed: 16 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,16 @@`
	`1`	`+packagecom.stubbornjava.undertow.handlers;`
	`2`	`+`
	`3`	`+importio.undertow.server.HttpHandler;`
	`4`	`+importio.undertow.server.handlers.SetHeaderHandler;`
	`5`	`+importio.undertow.util.Headers;`
	`6`	`+`
	`7`	`+publicclassStrictTransportSecurityHandlers {`
	`8`	`+`
	`9`	`+publicstaticHttpHandlerhsts(HttpHandlernext,longmaxAge) {`
	`10`	`+returnnewSetHeaderHandler(next,Headers.STRICT_TRANSPORT_SECURITY_STRING,"max-age=" +maxAge);`
	`11`	`+ }`
	`12`	`+`
	`13`	`+publicstaticHttpHandlerhstsIncludeSubdomains(HttpHandlernext,longmaxAge) {`
	`14`	`+returnnewSetHeaderHandler(next,Headers.STRICT_TRANSPORT_SECURITY_STRING,"max-age=" +maxAge +"; includeSubDomains");`
	`15`	`+ }`
	`16`	`+}`

`‎stubbornjava-undertow/src/main/java/com/stubbornjava/undertow/handlers/XContentTypeOptionsHandler.java‎`

Lines changed: 12 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,12 @@`
	`1`	`+packagecom.stubbornjava.undertow.handlers;`
	`2`	`+`
	`3`	`+importio.undertow.server.HttpHandler;`
	`4`	`+importio.undertow.server.handlers.SetHeaderHandler;`
	`5`	`+`
	`6`	`+publicclassXContentTypeOptionsHandler {`
	`7`	`+privatestaticfinalStringX_CONTENT_TYPE_OPTIONS_STRING ="X-Content-Type-Options";`
	`8`	`+`
	`9`	`+publicstaticHttpHandlernosniff(HttpHandlernext) {`
	`10`	`+returnnewSetHeaderHandler(next,X_CONTENT_TYPE_OPTIONS_STRING,"nosniff");`
	`11`	`+ }`
	`12`	`+}`

`‎stubbornjava-undertow/src/main/java/com/stubbornjava/undertow/handlers/XFrameOptionsHandlers.java‎`

Lines changed: 34 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,34 @@`
	`1`	`+packagecom.stubbornjava.undertow.handlers;`
	`2`	`+`
	`3`	`+importjava.util.function.Function;`
	`4`	`+`
	`5`	`+importio.undertow.server.HttpHandler;`
	`6`	`+importio.undertow.server.HttpServerExchange;`
	`7`	`+importio.undertow.server.handlers.SetHeaderHandler;`
	`8`	`+importio.undertow.util.HttpString;`
	`9`	`+`
	`10`	`+publicclassXFrameOptionsHandlers {`
	`11`	`+privatestaticfinalStringX_FRAME_OPTIONS_STRING ="X-Frame-Options";`
	`12`	`+privatestaticfinalHttpStringX_FRAME_OPTIONS =newHttpString(X_FRAME_OPTIONS_STRING);`
	`13`	`+`
	`14`	`+publicstaticHttpHandlerdeny(HttpHandlernext) {`
	`15`	`+returnnewSetHeaderHandler(next,X_FRAME_OPTIONS_STRING,"DENY");`
	`16`	`+ }`
	`17`	`+`
	`18`	`+publicstaticHttpHandlersameOrigin(HttpHandlernext) {`
	`19`	`+returnnewSetHeaderHandler(next,X_FRAME_OPTIONS_STRING,"SAMEORIGIN");`
	`20`	`+ }`
	`21`	`+`
	`22`	`+publicstaticHttpHandlerallowFromOrigin(HttpHandlernext,Stringorigin) {`
	`23`	`+returnnewSetHeaderHandler(next,X_FRAME_OPTIONS_STRING,"ALLOW-FROM " +origin);`
	`24`	`+ }`
	`25`	`+`
	`26`	`+publicstaticHttpHandlerallowFromDynamicOrigin(HttpHandlernext,`
	`27`	`+Function<HttpServerExchange,String>originExtractor) {`
	`28`	`+// Since this is dynamic skip using the SetHeaderHandler`
	`29`	`+returnexchange -> {`
	`30`	`+exchange.getResponseHeaders().put(X_FRAME_OPTIONS,originExtractor.apply(exchange));`
	`31`	`+next.handleRequest(exchange);`
	`32`	`+ };`
	`33`	`+ }`
	`34`	`+}`

`‎stubbornjava-undertow/src/main/java/com/stubbornjava/undertow/handlers/XXssProtectionHandlers.java‎`

Lines changed: 20 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,20 @@`
	`1`	`+packagecom.stubbornjava.undertow.handlers;`
	`2`	`+`
	`3`	`+importio.undertow.server.HttpHandler;`
	`4`	`+importio.undertow.server.handlers.SetHeaderHandler;`
	`5`	`+`
	`6`	`+publicclassXXssProtectionHandlers {`
	`7`	`+privatestaticfinalStringX_XSS_PROTECTION_STRING ="X-Xss-Protection";`
	`8`	`+`
	`9`	`+publicstaticHttpHandlerdisable(HttpHandlernext) {`
	`10`	`+returnnewSetHeaderHandler(next,X_XSS_PROTECTION_STRING,"0");`
	`11`	`+ }`
	`12`	`+`
	`13`	`+publicstaticHttpHandlerenable(HttpHandlernext) {`
	`14`	`+returnnewSetHeaderHandler(next,X_XSS_PROTECTION_STRING,"1");`
	`15`	`+ }`
	`16`	`+`
	`17`	`+publicstaticHttpHandlerenableAndBlock(HttpHandlernext) {`
	`18`	`+returnnewSetHeaderHandler(next,X_XSS_PROTECTION_STRING,"1; mode=block");`
	`19`	`+ }`
	`20`	`+}`

`‎stubbornjava-webapp/src/main/java/com/stubbornjava/webapp/StubbornJavaWebApp.java‎`

Lines changed: 5 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -11,6 +11,7 @@`
`11`	`11`	`importcom.stubbornjava.common.undertow.SimpleServer;`
`12`	`12`	`importcom.stubbornjava.common.undertow.handlers.CustomHandlers;`
`13`	`13`	`importcom.stubbornjava.undertow.handlers.MiddlewareBuilder;`
	`14`	`+importcom.stubbornjava.undertow.handlers.ReferrerPolicyHandlers.ReferrerPolicy;`
`14`	`15`	`importcom.stubbornjava.webapp.guide.GuideRoutes;`
`15`	`16`	`importcom.stubbornjava.webapp.post.JavaLibRoutes;`
`16`	`17`	`importcom.stubbornjava.webapp.post.PostRoutes;`
`@@ -30,14 +31,15 @@ private static HttpHandler exceptionHandler(HttpHandler next) {`
`30`	`31`	`.addExceptionHandler(Throwable.class,PageRoutes::error);`
`31`	`32`	`}`
`32`	`33`
`33`		`-privatestaticHttpHandlerwrapWithMiddleware(HttpHandlerhandler) {`
	`34`	`+privatestaticHttpHandlerwrapWithMiddleware(HttpHandlernext) {`
`34`	`35`	`returnMiddlewareBuilder.begin(PageRoutes::redirector)`
`35`		`- .next(BlockingHandler::new)`
	`36`	`+ .next(handler ->CustomHandlers.securityHeaders(handler,ReferrerPolicy.STRICT_ORIGIN_WHEN_CROSS_ORIGIN))`
`36`	`37`	`.next(CustomHandlers::gzip)`
	`38`	`+ .next(BlockingHandler::new)`
`37`	`39`	`.next(ex ->CustomHandlers.accessLog(ex,logger))`
`38`	`40`	`.next(CustomHandlers::statusCodeMetrics)`
`39`	`41`	`.next(StubbornJavaWebApp::exceptionHandler)`
`40`		`- .complete(handler);`
	`42`	`+ .complete(next);`
`41`	`43`	`}`
`42`	`44`
`43`	`45`	`// These routes do not require any authentication`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commitf178eb4

File tree

8 files changed

8 files changed

`‎stubbornjava-common/src/main/java/com/stubbornjava/common/undertow/handlers/CustomHandlers.java‎`

`‎stubbornjava-common/src/main/java/com/stubbornjava/common/undertow/handlers/Middleware.java‎`

`‎stubbornjava-undertow/src/main/java/com/stubbornjava/undertow/handlers/ReferrerPolicyHandlers.java‎`

`‎stubbornjava-undertow/src/main/java/com/stubbornjava/undertow/handlers/StrictTransportSecurityHandlers.java‎`

`‎stubbornjava-undertow/src/main/java/com/stubbornjava/undertow/handlers/XContentTypeOptionsHandler.java‎`

`‎stubbornjava-undertow/src/main/java/com/stubbornjava/undertow/handlers/XFrameOptionsHandlers.java‎`

`‎stubbornjava-undertow/src/main/java/com/stubbornjava/undertow/handlers/XXssProtectionHandlers.java‎`

`‎stubbornjava-webapp/src/main/java/com/stubbornjava/webapp/StubbornJavaWebApp.java‎`

0 commit comments