HTTP Security: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
|||
| Line 1: | Line 1: | ||
< | <syntaxhighlight lang="java"> | ||
@Component | @Component | ||
@WebFilter(urlPatterns = {"/*"}) | @WebFilter(urlPatterns = {"/*"}) | ||
| Line 19: | Line 19: | ||
} | } | ||
} | } | ||
</ | </syntaxhighlight> | ||
==Default Sources== | ==Default Sources== | ||
< | <syntaxhighlight lang="java"> | ||
private String getDefaultSources() { | private String getDefaultSources() { | ||
String tiktok = "https://analytics.tiktok.com/"; | String tiktok = "https://analytics.tiktok.com/"; | ||
| Line 33: | Line 33: | ||
return getFilteredSources(defaultSources, DEFAULT_SRC); | return getFilteredSources(defaultSources, DEFAULT_SRC); | ||
} | } | ||
</ | </syntaxhighlight> | ||
==Content Security Policy== | ==Content Security Policy== | ||
< | <syntaxhighlight lang="properties"> | ||
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://ajax.googleapis.com https://ssl.google-analytics.com https://assets.zendesk.com https://connect.facebook.net; img-src 'self' https://ssl.google-analytics.com https://s-static.ak.facebook.com https://assets.zendesk.com; style-src 'self' 'unsafe-inline' https://assets.zendesk.com; font-src 'self' https://fonts.gstatic.com https://themes.googleusercontent.com; frame-src https://player.vimeo.com https://assets.zendesk.com https://www.facebook.com https://s-static.ak.facebook.com https://tautt.zendesk.com; object-src 'none' | Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://ajax.googleapis.com https://ssl.google-analytics.com https://assets.zendesk.com https://connect.facebook.net; img-src 'self' https://ssl.google-analytics.com https://s-static.ak.facebook.com https://assets.zendesk.com; style-src 'self' 'unsafe-inline' https://assets.zendesk.com; font-src 'self' https://fonts.gstatic.com https://themes.googleusercontent.com; frame-src https://player.vimeo.com https://assets.zendesk.com https://www.facebook.com https://s-static.ak.facebook.com https://tautt.zendesk.com; object-src 'none' | ||
| Line 47: | Line 47: | ||
content-security-policy: default-src * 'unsafe-inline' 'unsafe-eval' data: blob: | content-security-policy: default-src * 'unsafe-inline' 'unsafe-eval' data: blob: | ||
Content-Security-Policy: default-src 'self' cdn.chorke.org | Content-Security-Policy: default-src 'self' cdn.chorke.org | ||
</ | </syntaxhighlight> | ||
===Content Security Policy » Nginx=== | ===Content Security Policy » Nginx=== | ||
---- | ---- | ||
< | <syntaxhighlight lang="nginx"> | ||
server { | server { | ||
server_name academia.chorke.org; | server_name academia.chorke.org; | ||
| Line 64: | Line 64: | ||
} | } | ||
} | } | ||
</ | </syntaxhighlight> | ||
==Permissions Policy== | ==Permissions Policy== | ||
< | <syntaxhighlight lang="properties"> | ||
Permissions-Policy: camera=(), microphone=(), geolocation=() | Permissions-Policy: camera=(), microphone=(), geolocation=() | ||
Permissions-Policy: camera=('none'), microphone=('none'), geolocation=('none'), payment=('none') | Permissions-Policy: camera=('none'), microphone=('none'), geolocation=('none'), payment=('none') | ||
Permissions-Policy: geolocation=("https://advertiser.example.com" "https://analytics.example.com") | Permissions-Policy: geolocation=("https://advertiser.example.com" "https://analytics.example.com") | ||
permissions-policy: accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=(), interest-cohort=() | permissions-policy: accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=(), interest-cohort=() | ||
</ | </syntaxhighlight> | ||
==References== | ==References== | ||
Revision as of 22:11, 27 November 2024
@Component
@WebFilter(urlPatterns = {"/*"})
public class ResponseHeaderWebFilter implements Filter {
@Override
public void doFilter(
ServletRequest request,
ServletResponse response, FilterChain chain
) throws IOException, ServletException {
HttpServletResponse httpServletResponse = (HttpServletResponse) response;
httpServletResponse.setHeader("Content-Security-Policy", "default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:;");
httpServletResponse.setHeader("Strict-Transport-Security", "max-age=31536000 ; includeSubDomains ; preload");
httpServletResponse.setHeader("Permissions-Policy", "geolocation 'self'; payment 'none'");
httpServletResponse.setHeader("X-Content-Type-Options", "nosniff");
httpServletResponse.setHeader("Referrer-Policy", "strict-origin-when-cross-origin");
httpServletResponse.setHeader("X-Frame-Options", "DENY");
chain.doFilter(request, response);
}
}
Default Sources
private String getDefaultSources() {
String tiktok = "https://analytics.tiktok.com/";
String facebook = "https://www.facebook.com/ https://connect.facebook.net/";
String doubleClick = "https://stats.g.doubleclick.net/ https://11141660.fls.doubleclick.net/ https://googleads.g.doubleclick.net/";
String google = "https://www.google.com/ https://www.google.com.my/ https://analytics.google.com/ https://www.googletagmanager.com/ https://www.google-analytics.com/";
String[] sources = {DEFAULT_SRC, SELF, UNSAFE_INLINE, UNSAFE_EVAL, google, facebook, doubleClick, tiktok, BLOB_DATA};
String defaultSources = String.join(SOURCE_DELIMITER, sources);
return getFilteredSources(defaultSources, DEFAULT_SRC);
}
Content Security Policy
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://ajax.googleapis.com https://ssl.google-analytics.com https://assets.zendesk.com https://connect.facebook.net; img-src 'self' https://ssl.google-analytics.com https://s-static.ak.facebook.com https://assets.zendesk.com; style-src 'self' 'unsafe-inline' https://assets.zendesk.com; font-src 'self' https://fonts.gstatic.com https://themes.googleusercontent.com; frame-src https://player.vimeo.com https://assets.zendesk.com https://www.facebook.com https://s-static.ak.facebook.com https://tautt.zendesk.com; object-src 'none'
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com/ https://www.google.com.my/ https://analytics.google.com/ https://www.googletagmanager.com/ https://www.google-analytics.com/ https://www.facebook.com/ https://connect.facebook.net/ https://stats.g.doubleclick.net/ https://11141660.fls.doubleclick.net/ https://googleads.g.doubleclick.net/ https://analytics.tiktok.com/ data: blob:
Content-Security-Policy: default-src *; style-src 'self' 'unsafe-inline'; font-src 'self' data:; script-src 'self' 'unsafe-inline' 'unsafe-eval' stackexchange.com
Content-Security-Policy: default-src *; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval' http://www.google.com;
content-security-policy: default-src 'self' * 'unsafe-inline' 'unsafe-eval' data: blob:
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:
content-security-policy: default-src * 'unsafe-inline' 'unsafe-eval' data: blob:
Content-Security-Policy: default-src 'self' cdn.chorke.org
Content Security Policy » Nginx
server {
server_name academia.chorke.org;
…more…
add_header Content-Security-Policy "default-src * 'unsafe-inline' 'unsafe-eval' data: blob:";
add_header Permissions-Policy "camera=('none'), microphone=('none'), geolocation=('none'), payment=('none')";
…more…
location / {
return 301 https://finology-group.com$request_uri;
}
}
Permissions Policy
Permissions-Policy: camera=(), microphone=(), geolocation=()
Permissions-Policy: camera=('none'), microphone=('none'), geolocation=('none'), payment=('none')
Permissions-Policy: geolocation=("https://advertiser.example.com" "https://analytics.example.com")
permissions-policy: accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=(), interest-cohort=()