HTTP Security

From Chorke Wiki
Revision as of 09:18, 6 February 2024 by Shahed (talk | contribs) (→‎References)
Jump to navigation Jump to search
@Component
@WebFilter(urlPatterns = {"/*"})
public class ResponseHeaderWebFilter implements Filter {

    @Override
    public void doFilter(
            ServletRequest request,
            ServletResponse response, FilterChain chain
    ) throws IOException, ServletException {
        HttpServletResponse httpServletResponse = (HttpServletResponse) response;
        httpServletResponse.setHeader("Content-Security-Policy", "default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:;");
        httpServletResponse.setHeader("Strict-Transport-Security", "max-age=31536000 ; includeSubDomains ; preload");
        httpServletResponse.setHeader("Permissions-Policy", "geolocation 'self'; payment 'none'");
        httpServletResponse.setHeader("X-Content-Type-Options", "nosniff");
        httpServletResponse.setHeader("Referrer-Policy", "strict-origin-when-cross-origin");
        httpServletResponse.setHeader("X-Frame-Options", "DENY");
        chain.doFilter(request, response);
    }
}

Content Security Policy

Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:;
Content-Security-Policy: default-src 'self' cdn.chorke.org;

Permissions Policy

Permissions-Policy: camera=(), microphone=(), geolocation=()
Permissions-Policy: geolocation=("https://advertiser.example.com" "https://analytics.example.com")

References