HTTP Security: Difference between revisions
Jump to navigation
Jump to search
| Line 19: | Line 19: | ||
} | } | ||
} | } | ||
</source> | |||
==Content Security Policy== | |||
<source lang="properties"> | |||
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:; | |||
Content-Security-Policy: default-src 'self' cdn.chorke.org; | |||
</source> | |||
==Permissions Policy== | |||
<source lang="properties"> | |||
Permissions-Policy: camera=(), microphone=(), geolocation=() | |||
Permissions-Policy: geolocation=("https://advertiser.example.com" "https://analytics.example.com") | |||
</source> | </source> | ||
Revision as of 01:52, 6 February 2024
@Component
@WebFilter(urlPatterns = {"/*"})
public class ResponseHeaderWebFilter implements Filter {
@Override
public void doFilter(
ServletRequest request,
ServletResponse response, FilterChain chain
) throws IOException, ServletException {
HttpServletResponse httpServletResponse = (HttpServletResponse) response;
httpServletResponse.setHeader("Content-Security-Policy", "default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:;");
httpServletResponse.setHeader("Strict-Transport-Security", "max-age=31536000 ; includeSubDomains ; preload");
httpServletResponse.setHeader("Permissions-Policy", "geolocation 'self'; payment 'none'");
httpServletResponse.setHeader("X-Content-Type-Options", "nosniff");
httpServletResponse.setHeader("Referrer-Policy", "strict-origin-when-cross-origin");
httpServletResponse.setHeader("X-Frame-Options", "DENY");
chain.doFilter(request, response);
}
}
Content Security Policy
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:;
Content-Security-Policy: default-src 'self' cdn.chorke.org;
Permissions Policy
Permissions-Policy: camera=(), microphone=(), geolocation=()
Permissions-Policy: geolocation=("https://advertiser.example.com" "https://analytics.example.com")
References
|
| ||
|
| ||