diff options
| author | Julien Lancelot <julien.lancelot@sonarsource.com> | 2016-11-10 12:29:23 +0100 |
|---|---|---|
| committer | Simon Brandhof <simon.brandhof@sonarsource.com> | 2016-11-14 12:18:50 +0100 |
| commit | 901b8810a4d2c237395eced14e467be415218249 (patch) | |
| tree | ae86617a877d0fe59314b0d8df765f54743c6fad /server/sonar-web | |
| parent | ac06fa8bd33accb93e36ede7084c64988d511c51 (diff) | |
| download | sonarqube-901b8810a4d2c237395eced14e467be415218249.tar.gz sonarqube-901b8810a4d2c237395eced14e467be415218249.zip | |
SONAR-8247 Fix security headers
Diffstat (limited to 'server/sonar-web')
| -rw-r--r-- | server/sonar-web/src/main/webapp/WEB-INF/config/environment.rb | 34 | ||||
| -rw-r--r-- | server/sonar-web/src/main/webapp/WEB-INF/web.xml | 6 |
2 files changed, 3 insertions, 37 deletions
diff --git a/server/sonar-web/src/main/webapp/WEB-INF/config/environment.rb b/server/sonar-web/src/main/webapp/WEB-INF/config/environment.rb index cd529e41506..3c375e4607b 100644 --- a/server/sonar-web/src/main/webapp/WEB-INF/config/environment.rb +++ b/server/sonar-web/src/main/webapp/WEB-INF/config/environment.rb @@ -52,37 +52,6 @@ class EagerPluginLoader < Rails::Plugin::Loader end end - -# -# Put response headers on all HTTP calls. This is done by the Java SecurityServlerFilter, -# but for some reason Rack swallows the headers set on Java side. -# See middleware configuration below. -# -class SecurityHeaders - def initialize(app) - @app = app - end - - def call(env) - status, headers, body = @app.call(env) - - # Clickjacking protection - # See https://www.owasp.org/index.php/Clickjacking_Protection_for_Java_EE - headers['X-Frame-Options']='SAMEORIGIN' - - # Cross-site scripting - # See https://www.owasp.org/index.php/List_of_useful_HTTP_headers - headers['X-XSS-Protection']='1; mode=block' - - # MIME-sniffing - # See https://www.owasp.org/index.php/List_of_useful_HTTP_headers - headers['X-Content-Type-Options']='nosniff'; - - [status, headers, body] - end -end - - Rails::Initializer.run do |config| # Settings in config/environments/* take precedence over those specified here. # Application configuration should go into files in config/initializers @@ -139,9 +108,6 @@ Rails::Initializer.run do |config| # Activate observers that should always be running # Please note that observers generated using script/generate observer need to have an _observer suffix # config.active_record.observers = :cacher, :garbage_collector, :forum_observer - - # Add security related headers - config.middleware.use SecurityHeaders end diff --git a/server/sonar-web/src/main/webapp/WEB-INF/web.xml b/server/sonar-web/src/main/webapp/WEB-INF/web.xml index ab60f08440a..1a8aa2dc8ad 100644 --- a/server/sonar-web/src/main/webapp/WEB-INF/web.xml +++ b/server/sonar-web/src/main/webapp/WEB-INF/web.xml @@ -75,15 +75,15 @@ <url-pattern>/*</url-pattern> </filter-mapping> <filter-mapping> - <filter-name>UserSessionFilter</filter-name> + <filter-name>SecurityFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <filter-mapping> - <filter-name>ServletFilters</filter-name> + <filter-name>UserSessionFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <filter-mapping> - <filter-name>SecurityFilter</filter-name> + <filter-name>ServletFilters</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <filter-mapping> |