HTTP Security: Difference between revisions
Jump to navigation
Jump to search
(Created page with "==References== {| | valign="top" | * [https://content-security-policy.com/ Content Security Policy Reference] * [https://www.validbot.com/header/Permissions-Policy.html Permis...") |
|||
(35 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
<source lang="java"> | |||
@Component | |||
@WebFilter(urlPatterns = {"/*"}) | |||
public class ResponseHeaderWebFilter implements Filter { | |||
@Override | |||
public void doFilter( | |||
ServletRequest request, | |||
ServletResponse response, FilterChain chain | |||
) throws IOException, ServletException { | |||
HttpServletResponse httpServletResponse = (HttpServletResponse) response; | |||
httpServletResponse.setHeader("Content-Security-Policy", "default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:;"); | |||
httpServletResponse.setHeader("Strict-Transport-Security", "max-age=31536000 ; includeSubDomains ; preload"); | |||
httpServletResponse.setHeader("Permissions-Policy", "geolocation 'self'; payment 'none'"); | |||
httpServletResponse.setHeader("X-Content-Type-Options", "nosniff"); | |||
httpServletResponse.setHeader("Referrer-Policy", "strict-origin-when-cross-origin"); | |||
httpServletResponse.setHeader("X-Frame-Options", "DENY"); | |||
chain.doFilter(request, response); | |||
} | |||
} | |||
</source> | |||
==Default Sources== | |||
<source lang="java"> | |||
private String getDefaultSources() { | |||
String tiktok = "https://analytics.tiktok.com/"; | |||
String facebook = "https://www.facebook.com/ https://connect.facebook.net/"; | |||
String doubleClick = "https://stats.g.doubleclick.net/ https://11141660.fls.doubleclick.net/ https://googleads.g.doubleclick.net/"; | |||
String google = "https://www.google.com/ https://www.google.com.my/ https://analytics.google.com/ https://www.googletagmanager.com/ https://www.google-analytics.com/"; | |||
String[] sources = {DEFAULT_SRC, SELF, UNSAFE_INLINE, UNSAFE_EVAL, google, facebook, doubleClick, tiktok, BLOB_DATA}; | |||
String defaultSources = String.join(SOURCE_DELIMITER, sources); | |||
return getFilteredSources(defaultSources, DEFAULT_SRC); | |||
} | |||
</source> | |||
==Content Security Policy== | |||
<source lang="properties"> | |||
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://ajax.googleapis.com https://ssl.google-analytics.com https://assets.zendesk.com https://connect.facebook.net; img-src 'self' https://ssl.google-analytics.com https://s-static.ak.facebook.com https://assets.zendesk.com; style-src 'self' 'unsafe-inline' https://assets.zendesk.com; font-src 'self' https://fonts.gstatic.com https://themes.googleusercontent.com; frame-src https://player.vimeo.com https://assets.zendesk.com https://www.facebook.com https://s-static.ak.facebook.com https://tautt.zendesk.com; object-src 'none' | |||
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com/ https://www.google.com.my/ https://analytics.google.com/ https://www.googletagmanager.com/ https://www.google-analytics.com/ https://www.facebook.com/ https://connect.facebook.net/ https://stats.g.doubleclick.net/ https://11141660.fls.doubleclick.net/ https://googleads.g.doubleclick.net/ https://analytics.tiktok.com/ data: blob: | |||
Content-Security-Policy: default-src *; style-src 'self' 'unsafe-inline'; font-src 'self' data:; script-src 'self' 'unsafe-inline' 'unsafe-eval' stackexchange.com | |||
Content-Security-Policy: default-src *; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval' http://www.google.com; | |||
content-security-policy: default-src 'self' * 'unsafe-inline' 'unsafe-eval' data: blob: | |||
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob: | |||
content-security-policy: default-src * 'unsafe-inline' 'unsafe-eval' data: blob: | |||
Content-Security-Policy: default-src 'self' cdn.chorke.org | |||
</source> | |||
==Permissions Policy== | |||
<source lang="properties"> | |||
Permissions-Policy: camera=(), microphone=(), geolocation=() | |||
Permissions-Policy: camera=('none'), microphone=('none'), geolocation=('none'), payment=('none') | |||
Permissions-Policy: geolocation=("https://advertiser.example.com" "https://analytics.example.com") | |||
permissions-policy: accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=(), interest-cohort=() | |||
</source> | |||
==References== | ==References== | ||
{| | {| | ||
| valign="top" | | | valign="top" | | ||
* [https://content-security-policy.com/ Content Security Policy Reference] | * [https://content-security-policy.com/strict-dynamic/ CSP » <code>'strict-dynamic'</code>] | ||
* [https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src-attr CSP » <code>script-src-attr</code>] | |||
* [https://content-security-policy.com/unsafe-hashes/ CSP » <code>'unsafe-hashes'</code>] | |||
* [https://content-security-policy.com/unsafe-inline/ CSP » <code>'unsafe-inline'</code>] | |||
* [https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-src CSP » <code>default-src</code>] | |||
* [https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src CSP » <code>script-src</code>] | |||
* [https://content-security-policy.com/hash/ CSP » <code>'sha256-'</code>] | |||
* [https://content-security-policy.com/nonce/ CSP » <code>'nonce-'</code>] | |||
* [https://content-security-policy.com/none/ CSP » <code>'none'</code>] | |||
* [https://content-security-policy.com/self/ CSP » <code>'self'</code>] | |||
| valign="top" | | |||
* [https://stackoverflow.com/questions/59144892/ Cookies » Request to access or storage was blocked] | |||
* [https://www.tinstar.co.uk/studio-blog/some-cookies-are-misusing-the-recommended-samesite-attribute-how-to-fix/ Cookies » Recommended sameSite Attribute] | |||
* [https://developer.mozilla.org/en-US/docs/Web/HTML/Quirks_Mode_and_Standards_Mode HTML » Quirks Mode vs. Standards Mode] | |||
* [https://stackoverflow.com/questions/37298608/ CSP » Blocked the Loading of a Resource] | |||
* [https://developer.mozilla.org/en-US/docs/Web/Privacy/Storage_Access_Policy SAP » Block cookies from trackers] | |||
* [https://www.simoahava.com/analytics/google-tag-manager-content-security-policy/ CSP » Google Tag Manager Tips] | |||
* [https://developers.google.com/tag-platform/security/guides/csp CSP » Google Tag Manager] | |||
* [https://content-security-policy.com/browser-test/ CSP » Browser Test] | |||
* [https://content-security-policy.com/ CSP » Reference] | |||
* [https://content-security-policy.com/examples/ CSP » Examples] | |||
| valign="top" | | |||
* [https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS/Errors/CORSNotSupportingCredentials CORS » Credential is not supported] | |||
* [https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy Content-Security-Policy] | |||
* [https://developer.mozilla.org/en-US/docs/Web/HTTP/Content_negotiation Content Negotiation] | |||
* [https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-src CSP » <code>frame-src</code>] | |||
* [https://www.validbot.com/header/Permissions-Policy.html Permissions-Policy] | * [https://www.validbot.com/header/Permissions-Policy.html Permissions-Policy] | ||
* [https://developer.mozilla.org/en-US/docs/Web/HTTP/Permissions_Policy Permissions Policy] | |||
* [https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS/Errors/CORSDisabled CORS » Disabled] | |||
|- | |||
| colspan="3" | | |||
---- | |||
|- | |||
| valign="top" | | |||
* [https://securityheaders.com/?q=https%3A%2F%2Fpfapply.aeoncredit.com.my&followRedirects=on Scan » pfapply.aeoncredit.com.my] | |||
* [https://securityheaders.com/?q=https%3A%2F%2Fcdn.chorke.org%2Fwiki&followRedirects=on Scan » cdn.chorke.org/wiki] | |||
* [https://securityheaders.com/?q=https%3A%2F%2Fshahed.biz&followRedirects=on Scan » shahed.biz] | |||
| valign="top" | | | valign="top" | | ||
Line 18: | Line 114: | ||
* [[JConsole]] | * [[JConsole]] | ||
* [[Cypress]] | * [[Cypress]] | ||
* [[Spring]] | |||
* [[HTTPie]] | * [[HTTPie]] | ||
* [[JQ Tool]] | * [[JQ Tool]] | ||
Line 25: | Line 122: | ||
| valign="top" | | | valign="top" | | ||
* [[JSON Schema Validation]] | |||
* [[Spring Security]] | |||
* [[Apache Camel]] | |||
* [[Netflix Eureka]] | |||
* [[Java/Security]] | |||
* [[Java Lambda]] | |||
* [[Camunda]] | |||
* [[Jasypt]] | |||
* [[Redis]] | |||
* [[Java]] | |||
| valign="top" | | | valign="top" | | ||
* [[Spring Exception Handling]] | |||
* [[Postman Script]] | |||
|} | |} |
Latest revision as of 22:38, 19 February 2024
@Component
@WebFilter(urlPatterns = {"/*"})
public class ResponseHeaderWebFilter implements Filter {
@Override
public void doFilter(
ServletRequest request,
ServletResponse response, FilterChain chain
) throws IOException, ServletException {
HttpServletResponse httpServletResponse = (HttpServletResponse) response;
httpServletResponse.setHeader("Content-Security-Policy", "default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:;");
httpServletResponse.setHeader("Strict-Transport-Security", "max-age=31536000 ; includeSubDomains ; preload");
httpServletResponse.setHeader("Permissions-Policy", "geolocation 'self'; payment 'none'");
httpServletResponse.setHeader("X-Content-Type-Options", "nosniff");
httpServletResponse.setHeader("Referrer-Policy", "strict-origin-when-cross-origin");
httpServletResponse.setHeader("X-Frame-Options", "DENY");
chain.doFilter(request, response);
}
}
Default Sources
private String getDefaultSources() {
String tiktok = "https://analytics.tiktok.com/";
String facebook = "https://www.facebook.com/ https://connect.facebook.net/";
String doubleClick = "https://stats.g.doubleclick.net/ https://11141660.fls.doubleclick.net/ https://googleads.g.doubleclick.net/";
String google = "https://www.google.com/ https://www.google.com.my/ https://analytics.google.com/ https://www.googletagmanager.com/ https://www.google-analytics.com/";
String[] sources = {DEFAULT_SRC, SELF, UNSAFE_INLINE, UNSAFE_EVAL, google, facebook, doubleClick, tiktok, BLOB_DATA};
String defaultSources = String.join(SOURCE_DELIMITER, sources);
return getFilteredSources(defaultSources, DEFAULT_SRC);
}
Content Security Policy
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://ajax.googleapis.com https://ssl.google-analytics.com https://assets.zendesk.com https://connect.facebook.net; img-src 'self' https://ssl.google-analytics.com https://s-static.ak.facebook.com https://assets.zendesk.com; style-src 'self' 'unsafe-inline' https://assets.zendesk.com; font-src 'self' https://fonts.gstatic.com https://themes.googleusercontent.com; frame-src https://player.vimeo.com https://assets.zendesk.com https://www.facebook.com https://s-static.ak.facebook.com https://tautt.zendesk.com; object-src 'none'
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com/ https://www.google.com.my/ https://analytics.google.com/ https://www.googletagmanager.com/ https://www.google-analytics.com/ https://www.facebook.com/ https://connect.facebook.net/ https://stats.g.doubleclick.net/ https://11141660.fls.doubleclick.net/ https://googleads.g.doubleclick.net/ https://analytics.tiktok.com/ data: blob:
Content-Security-Policy: default-src *; style-src 'self' 'unsafe-inline'; font-src 'self' data:; script-src 'self' 'unsafe-inline' 'unsafe-eval' stackexchange.com
Content-Security-Policy: default-src *; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval' http://www.google.com;
content-security-policy: default-src 'self' * 'unsafe-inline' 'unsafe-eval' data: blob:
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:
content-security-policy: default-src * 'unsafe-inline' 'unsafe-eval' data: blob:
Content-Security-Policy: default-src 'self' cdn.chorke.org
Permissions Policy
Permissions-Policy: camera=(), microphone=(), geolocation=()
Permissions-Policy: camera=('none'), microphone=('none'), geolocation=('none'), payment=('none')
Permissions-Policy: geolocation=("https://advertiser.example.com" "https://analytics.example.com")
permissions-policy: accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=(), interest-cohort=()