HTTP Security: Difference between revisions
Jump to navigation
Jump to search
Line 44: | Line 44: | ||
| valign="top" | | | valign="top" | | ||
* [https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src-attr CSP » <code>script-src-attr</code>] | * [https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src-attr CSP » <code>script-src-attr</code>] | ||
* [https://content-security-policy.com/unsafe-hashes/ CSP » <code>'unsafe-hashes'</code>] | |||
* [https://content-security-policy.com/unsafe-inline/ CSP » <code>'unsafe-inline'</code>] | * [https://content-security-policy.com/unsafe-inline/ CSP » <code>'unsafe-inline'</code>] | ||
* [https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-src CSP » <code>default-src</code>] | * [https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-src CSP » <code>default-src</code>] | ||
* [https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src CSP » <code>script-src</code>] | * [https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src CSP » <code>script-src</code>] | ||
* [https://content-security-policy.com/ CSP » Reference] | * [https://content-security-policy.com/ CSP » Reference] | ||
* [https://content-security-policy.com/examples/ CSP » Examples] | * [https://content-security-policy.com/examples/ CSP » Examples] | ||
* [https://content-security-policy.com/none/ CSP » <code>'none'</code>] | * [https://content-security-policy.com/none/ CSP » <code>'none'</code>] | ||
* [https://content-security-policy.com/self/ CSP » <code>'self'</code>] | * [https://content-security-policy.com/self/ CSP » <code>'self'</code>] | ||
* [https://content-security-policy.com/hash/ CSP » Hash] | |||
| valign="top" | | | valign="top" | | ||
* [https://stackoverflow.com/questions/37298608/ CSP » Blocked the Loading of a Resource] | * [https://stackoverflow.com/questions/37298608/ CSP » Blocked the Loading of a Resource] | ||
* [https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy Content-Security-Policy] | |||
* [https://www.validbot.com/header/Permissions-Policy.html Permissions-Policy] | |||
| valign="top" | | | valign="top" | |
Revision as of 10:47, 16 February 2024
@Component
@WebFilter(urlPatterns = {"/*"})
public class ResponseHeaderWebFilter implements Filter {
@Override
public void doFilter(
ServletRequest request,
ServletResponse response, FilterChain chain
) throws IOException, ServletException {
HttpServletResponse httpServletResponse = (HttpServletResponse) response;
httpServletResponse.setHeader("Content-Security-Policy", "default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:;");
httpServletResponse.setHeader("Strict-Transport-Security", "max-age=31536000 ; includeSubDomains ; preload");
httpServletResponse.setHeader("Permissions-Policy", "geolocation 'self'; payment 'none'");
httpServletResponse.setHeader("X-Content-Type-Options", "nosniff");
httpServletResponse.setHeader("Referrer-Policy", "strict-origin-when-cross-origin");
httpServletResponse.setHeader("X-Frame-Options", "DENY");
chain.doFilter(request, response);
}
}
Content Security Policy
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://ajax.googleapis.com https://ssl.google-analytics.com https://assets.zendesk.com https://connect.facebook.net; img-src 'self' https://ssl.google-analytics.com https://s-static.ak.facebook.com https://assets.zendesk.com; style-src 'self' 'unsafe-inline' https://assets.zendesk.com; font-src 'self' https://fonts.gstatic.com https://themes.googleusercontent.com; frame-src https://player.vimeo.com https://assets.zendesk.com https://www.facebook.com https://s-static.ak.facebook.com https://tautt.zendesk.com; object-src 'none'
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com/ https://www.google.com.my/ https://analytics.google.com/ https://www.googletagmanager.com/ https://www.google-analytics.com/ https://www.facebook.com/ https://connect.facebook.net/ https://stats.g.doubleclick.net/ https://11141660.fls.doubleclick.net/ https://googleads.g.doubleclick.net/ https://analytics.tiktok.com/ data: blob:
Content-Security-Policy: default-src *; style-src 'self' 'unsafe-inline'; font-src 'self' data:; script-src 'self' 'unsafe-inline' 'unsafe-eval' stackexchange.com
Content-Security-Policy: default-src *; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval' http://www.google.com;
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:;
Content-Security-Policy: default-src 'self' cdn.chorke.org;
Permissions Policy
Permissions-Policy: camera=(), microphone=(), geolocation=()
Permissions-Policy: camera=('none'), microphone=('none'), geolocation=('none'), payment=('none')
Permissions-Policy: geolocation=("https://advertiser.example.com" "https://analytics.example.com")
References
| ||
| ||