OFBiz › OFBiz - Commits

svn commit: r1812609 - /ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java

_‹ Previous Topic Next Topic _›

Classic

List

Threaded

1 message

jleroux@apache.org

svn commit: r1812609 - /ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java

Author: jleroux
Date: Thu Oct 19 10:00:48 2017
New Revision: 1812609

URL: http://svn.apache.org/viewvc?rev=1812609&view=rev
Log:
Implemented: Secure HTTP headers
(OFBIZ-6766)

Adds
the no-referrer-when-downgrade Referrer-Policy
a comment about Public-Key-Pins-Report-Only
a link to the related wiki page

This is my prior to last commit, before implementing a CSP policy which is quite
the stuff! Check yourself https://csp.withgoogle.com/docs/adopting-csp.html

Modified:
ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java

Modified: ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java
URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java?rev=1812609&r1=1812608&r2=1812609&view=diff
==============================================================================
--- ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java (original)
+++ ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java Thu Oct 19 10:00:48 2017
@@ -947,6 +947,8 @@ public class RequestHandler {
if (Debug.verboseOn()) Debug.logVerbose("Sending no-cache headers for view [" + nextPage + "]", module);
}

+ // Security headers vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
+ // See https://cwiki.apache.org/confluence/display/OFBIZ/How+to+Secure+HTTP+Headers
String xFrameOption = viewMap.xFrameOption;
// default to sameorigin
if (UtilValidate.isNotEmpty(xFrameOption)) {
@@ -981,6 +983,12 @@ public class RequestHandler {

resp.setHeader("Set-Cookie", "SameSite=strict"); // TODO maybe one day the ServletContext will allow to do that, then better in WebAppServletContextListener

+ resp.setHeader("Referrer-Policy", "no-referrer-when-downgrade"); // This is the default (in Firefox at least)
+
+ // TODO in custom project. Public-Key-Pins-Report-Only is interesting but can't be used OOTB because of demos (the letsencrypt certificate is renewed every 3 months)
+
+ // Security headers ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
try {
if (Debug.verboseOn()) Debug.logVerbose("Rendering view [" + nextPage + "] of type [" + viewMap.type + "]", module);
ViewHandler vh = viewFactory.getViewHandler(viewMap.type);