HTTP Security: Difference between revisions

From Chorke Wiki
Jump to navigation Jump to search
No edit summary
 
Line 77: Line 77:
* [https://stackoverflow.com/questions/37298608/ CSP » Blocked the Loading of a Resource]
* [https://stackoverflow.com/questions/37298608/ CSP » Blocked the Loading of a Resource]
* [https://developer.mozilla.org/en-US/docs/Web/Privacy/Storage_Access_Policy SAP » Block cookies from trackers]
* [https://developer.mozilla.org/en-US/docs/Web/Privacy/Storage_Access_Policy SAP » Block cookies from trackers]
* [https://www.simoahava.com/analytics/google-tag-manager-content-security-policy/ CSP » Google Tag Manager Tips]
* [https://developers.google.com/tag-platform/security/guides/csp CSP » Google Tag Manager]
* [https://developers.google.com/tag-platform/security/guides/csp CSP » Google Tag Manager]
* [https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy Content-Security-Policy]
* [https://content-security-policy.com/browser-test/ CSP » Browser Test]
* [https://content-security-policy.com/browser-test/ CSP » Browser Test]
* [https://content-security-policy.com/ CSP » Reference]
* [https://content-security-policy.com/ CSP » Reference]
Line 85: Line 85:
| valign="top" |
| valign="top" |
* [https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS/Errors/CORSNotSupportingCredentials CORS » Credential is not supported]
* [https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS/Errors/CORSNotSupportingCredentials CORS » Credential is not supported]
* [https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy Content-Security-Policy]
* [https://developer.mozilla.org/en-US/docs/Web/HTTP/Content_negotiation Content Negotiation]
* [https://developer.mozilla.org/en-US/docs/Web/HTTP/Content_negotiation Content Negotiation]
* [https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-src CSP » <code>frame-src</code>]
* [https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-src CSP » <code>frame-src</code>]

Latest revision as of 22:38, 19 February 2024

@Component
@WebFilter(urlPatterns = {"/*"})
public class ResponseHeaderWebFilter implements Filter {

    @Override
    public void doFilter(
            ServletRequest request,
            ServletResponse response, FilterChain chain
    ) throws IOException, ServletException {
        HttpServletResponse httpServletResponse = (HttpServletResponse) response;
        httpServletResponse.setHeader("Content-Security-Policy", "default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:;");
        httpServletResponse.setHeader("Strict-Transport-Security", "max-age=31536000 ; includeSubDomains ; preload");
        httpServletResponse.setHeader("Permissions-Policy", "geolocation 'self'; payment 'none'");
        httpServletResponse.setHeader("X-Content-Type-Options", "nosniff");
        httpServletResponse.setHeader("Referrer-Policy", "strict-origin-when-cross-origin");
        httpServletResponse.setHeader("X-Frame-Options", "DENY");
        chain.doFilter(request, response);
    }
}

Default Sources

private String getDefaultSources() {
    String tiktok = "https://analytics.tiktok.com/";
    String facebook = "https://www.facebook.com/ https://connect.facebook.net/";
    String doubleClick = "https://stats.g.doubleclick.net/ https://11141660.fls.doubleclick.net/ https://googleads.g.doubleclick.net/";
    String google = "https://www.google.com/ https://www.google.com.my/ https://analytics.google.com/ https://www.googletagmanager.com/ https://www.google-analytics.com/";

    String[] sources = {DEFAULT_SRC, SELF, UNSAFE_INLINE, UNSAFE_EVAL, google, facebook, doubleClick, tiktok, BLOB_DATA};
    String defaultSources = String.join(SOURCE_DELIMITER, sources);
    return getFilteredSources(defaultSources, DEFAULT_SRC);
}

Content Security Policy

Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'  https://ajax.googleapis.com  https://ssl.google-analytics.com https://assets.zendesk.com https://connect.facebook.net; img-src 'self' https://ssl.google-analytics.com https://s-static.ak.facebook.com https://assets.zendesk.com; style-src 'self' 'unsafe-inline' https://assets.zendesk.com; font-src 'self' https://fonts.gstatic.com  https://themes.googleusercontent.com; frame-src https://player.vimeo.com https://assets.zendesk.com https://www.facebook.com https://s-static.ak.facebook.com https://tautt.zendesk.com; object-src 'none'

Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com/ https://www.google.com.my/ https://analytics.google.com/ https://www.googletagmanager.com/ https://www.google-analytics.com/ https://www.facebook.com/ https://connect.facebook.net/ https://stats.g.doubleclick.net/ https://11141660.fls.doubleclick.net/ https://googleads.g.doubleclick.net/ https://analytics.tiktok.com/ data: blob:

Content-Security-Policy: default-src *; style-src 'self' 'unsafe-inline'; font-src 'self' data:; script-src 'self' 'unsafe-inline' 'unsafe-eval' stackexchange.com
Content-Security-Policy: default-src *; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval' http://www.google.com;
content-security-policy: default-src 'self' * 'unsafe-inline' 'unsafe-eval' data: blob:
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:
content-security-policy: default-src * 'unsafe-inline' 'unsafe-eval' data: blob:
Content-Security-Policy: default-src 'self' cdn.chorke.org

Permissions Policy

Permissions-Policy: camera=(), microphone=(), geolocation=()
Permissions-Policy: camera=('none'), microphone=('none'), geolocation=('none'), payment=('none')
Permissions-Policy: geolocation=("https://advertiser.example.com" "https://analytics.example.com")
permissions-policy: accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=(), interest-cohort=()

References