Clickjacking, XSS and CSRF Increased Browser Security with HTTP Response headers

There are at the moment some HTTP Response headers that can help increasing security in web applications. Below is an example of a J2EE filter that will bring extra protection against some Clickjacking, XSS and CSRF attacks. You should be able to send these headers (or variations of them according to your use case) from any programming language/web framework.

Of course not all browsers will support this (all newest versions of modern browsers do support X-FRAME-OPTIONS for example) neither this is a recipe to completely protect your application against these type of attacks. There is a knowledge war on the web and those mastering bigger amount of information will always win.

package com.nestorurquiza.web.filter;

import java.io.IOException;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletResponse;

public class SecurityHeadersFilter implements Filter {

    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
        HttpServletResponse httpServletResponse = (HttpServletResponse) response;
        httpServletResponse.setHeader("X-XSS-Protection", "1; mode=block");
        httpServletResponse.setHeader("X-FRAME-OPTIONS", "SAMEORIGIN");
        chain.doFilter(request, response);
    }

    @Override
    public void destroy() {
    }

    @Override
    public void init(FilterConfig config) throws ServletException {
    }
}