import java.io.IOException;
+/**
+ * This servlet filter sets response headers that enable browser protection against several classes if Web attacks.
+ * The list of headers is mirrored in environment.rb as a workaround to Rack swallowing the headers..
+ */
public class SecurityServletFilter implements Filter {
@Override
// See https://www.owasp.org/index.php/Clickjacking_Protection_for_Java_EE
HttpServletResponse httpResponse = (HttpServletResponse) resp;
httpResponse.addHeader("X-Frame-Options", "SAMEORIGIN");
+
+ // Cross-site scripting
+ // See https://www.owasp.org/index.php/List_of_useful_HTTP_headers
+ httpResponse.addHeader("X-XSS-Protection", "1; mode=block");
+
+ // MIME-sniffing
+ // See https://www.owasp.org/index.php/List_of_useful_HTTP_headers
+ httpResponse.addHeader("X-Content-Type-Options", "nosniff");
}
@Override
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
+import static org.mockito.Matchers.anyString;
+import static org.mockito.Matchers.startsWith;
import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.times;
import static org.mockito.Mockito.verify;
public class SecurityServletFilterTest {
FilterChain chain = mock(FilterChain.class);
filter.doFilter(request, response, chain);
- // Clickjacking
- verify(response).addHeader("X-Frame-Options", "SAMEORIGIN");
+ verify(response, times(3)).addHeader(startsWith("X-"), anyString());
filter.destroy();
}
end
end
+
+#
+# Put response headers on all HTTP calls. This is done by the Java SecurityServlerFilter,
+# but for some reason Rack swallows the headers set on Java side.
+# See middleware configuration below.
+#
+class SecurityHeaders
+ def initialize(app)
+ @app = app
+ end
+
+ def call(env)
+ status, headers, body = @app.call(env)
+
+ # Clickjacking protection
+ # See https://www.owasp.org/index.php/Clickjacking_Protection_for_Java_EE
+ headers['X-Frame-Options']='SAMEORIGIN'
+
+ # Cross-site scripting
+ # See https://www.owasp.org/index.php/List_of_useful_HTTP_headers
+ headers['X-XSS-Protection']='1; mode=block'
+
+ # MIME-sniffing
+ # See https://www.owasp.org/index.php/List_of_useful_HTTP_headers
+ headers['X-Content-Type-Options']='nosniff';
+
+ [status, headers, body]
+ end
+end
+
+
Rails::Initializer.run do |config|
# Settings in config/environments/* take precedence over those specified here.
# Application configuration should go into files in config/initializers
# Activate observers that should always be running
# Please note that observers generated using script/generate observer need to have an _observer suffix
# config.active_record.observers = :cacher, :garbage_collector, :forum_observer
+
+ # Add security related headers
+ config.middleware.use SecurityHeaders
end
# Increase size of form parameters
# See http://jira.codehaus.org/browse/SONAR-5577
Rack::Utils.key_space_limit = 262144 # 4 times the default size
-
-