Of course not all browsers will support this (all newest versions of modern browsers do support X-FRAME-OPTIONS for example) neither this is a recipe to completely protect your application against these type of attacks. There is a knowledge war on the web and those mastering bigger amount of information will always win.
package com.nestorurquiza.web.filter;
import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletResponse;
public class SecurityHeadersFilter implements Filter {
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
HttpServletResponse httpServletResponse = (HttpServletResponse) response;
httpServletResponse.setHeader("X-XSS-Protection", "1; mode=block");
httpServletResponse.setHeader("X-FRAME-OPTIONS", "SAMEORIGIN");
chain.doFilter(request, response);
}
@Override
public void destroy() {
}
@Override
public void init(FilterConfig config) throws ServletException {
}
}
4 comments:
Nice, but seems there are some issue
with IE8 and X-XSS-Protection 1; mode=block
see:
https://github.com/evilpacket/helmet/issues/26=
And that is exactly why we should not keep supporting old browsers as I have posted before http://thinkinginsoftware.blogspot.com/2013/03/web-security-for-everyone-mandatory-web.html
Hey Nestor. We've been using this for a while now, but now need to allow a client to include our site in an iframe, unfortunately the Allow-from uri value is not supported in Chrome for X-FRAME-OPTIONS.
Just FYI
Thanks Jorge. Good to know. Definitely a lot to do still on this area. I would move away from iframe sharing in any case. Embedded javascript should be the way to go with gadgets that consume information from external websites.
Cheers.
Post a Comment