OFBiz › OFBiz - Commits

svn commit: r1846632 - /ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilHttp.java

_‹ Previous Topic Next Topic _›

Classic

List

Threaded

1 message

adityasharma

svn commit: r1846632 - /ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilHttp.java

Author: adityasharma
Date: Thu Nov 15 10:40:55 2018
New Revision: 1846632

URL: http://svn.apache.org/viewvc?rev=1846632&view=rev
Log:
Fixed: Missing Security and Cache Headers in CMS Events
(OFBIZ-10597)
Instead of having multiple null checks for viewMap separately for each security header we can have a single combined null check at the top in setResponseBrowserDefaultSecurityHeaders() method.

With increasing security headers these may become expensive.

Modified:
ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilHttp.java

Modified: ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilHttp.java
URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilHttp.java?rev=1846632&r1=1846631&r2=1846632&view=diff
==============================================================================
--- ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilHttp.java (original)
+++ ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilHttp.java Thu Nov 15 10:40:55 2018
@@ -985,8 +985,11 @@ public final class UtilHttp {
public static void setResponseBrowserDefaultSecurityHeaders(HttpServletResponse resp, ConfigXMLReader.ViewMap viewMap) {
// See https://cwiki.apache.org/confluence/display/OFBIZ/How+to+Secure+HTTP+Headers for details and how to test
String xFrameOption = null;
+ // HTTP Strict-Transport-Security (HSTS) enforces secure (HTTP over SSL/TLS) connections to the server.
+ String strictTransportSecurity = null;
if (viewMap != null) {
xFrameOption = viewMap.xFrameOption;
+ strictTransportSecurity = viewMap.strictTransportSecurity;
}
// Default to sameorigin
if (UtilValidate.isNotEmpty(xFrameOption)) {
@@ -997,12 +1000,6 @@ public final class UtilHttp {
resp.addHeader("x-frame-options", "sameorigin");
}

- // HTTP Strict-Transport-Security (HSTS) enforces secure (HTTP over SSL/TLS) connections to the server.
- String strictTransportSecurity = null;
- if (viewMap != null) {
- strictTransportSecurity = viewMap.strictTransportSecurity;
- }
-
// Default to "max-age=31536000; includeSubDomains" 31536000 secs = 1 year
if (UtilValidate.isNotEmpty(strictTransportSecurity)) {
if (!"none".equals(strictTransportSecurity)) {