HTTP Security: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
|||
| Line 1: | Line 1: | ||
<syntaxhighlight lang= | <syntaxhighlight style='margin:3px 0 3px 0' lang='java'> | ||
@Component | @Component | ||
@WebFilter(urlPatterns = {"/*"}) | @WebFilter(urlPatterns = {"/*"}) | ||
| Line 22: | Line 22: | ||
==Default Sources== | ==Default Sources== | ||
<syntaxhighlight lang= | <syntaxhighlight style='margin:3px 0 3px 0' lang='java'> | ||
private String getDefaultSources() { | private String getDefaultSources() { | ||
String tiktok = "https://analytics.tiktok.com/"; | String tiktok = "https://analytics.tiktok.com/"; | ||
| Line 36: | Line 36: | ||
==Content Security Policy== | ==Content Security Policy== | ||
<syntaxhighlight lang= | <syntaxhighlight style='margin:3px 0 3px 0' lang='properties'> | ||
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://ajax.googleapis.com https://ssl.google-analytics.com https://assets.zendesk.com https://connect.facebook.net; img-src 'self' https://ssl.google-analytics.com https://s-static.ak.facebook.com https://assets.zendesk.com; style-src 'self' 'unsafe-inline' https://assets.zendesk.com; font-src 'self' https://fonts.gstatic.com https://themes.googleusercontent.com; frame-src https://player.vimeo.com https://assets.zendesk.com https://www.facebook.com https://s-static.ak.facebook.com https://tautt.zendesk.com; object-src 'none' | Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://ajax.googleapis.com https://ssl.google-analytics.com https://assets.zendesk.com https://connect.facebook.net; img-src 'self' https://ssl.google-analytics.com https://s-static.ak.facebook.com https://assets.zendesk.com; style-src 'self' 'unsafe-inline' https://assets.zendesk.com; font-src 'self' https://fonts.gstatic.com https://themes.googleusercontent.com; frame-src https://player.vimeo.com https://assets.zendesk.com https://www.facebook.com https://s-static.ak.facebook.com https://tautt.zendesk.com; object-src 'none' | ||
| Line 51: | Line 51: | ||
===Content Security Policy » Nginx=== | ===Content Security Policy » Nginx=== | ||
---- | ---- | ||
<syntaxhighlight lang= | <syntaxhighlight style='margin:3px 0 3px 0' lang='nginx'> | ||
server { | server { | ||
server_name academia.chorke.org; | server_name academia.chorke.org; | ||
| Line 70: | Line 70: | ||
</syntaxhighlight> | </syntaxhighlight> | ||
<syntaxhighlight lang= | <syntaxhighlight style='margin:3px 0 3px 0' lang='bash'> | ||
nginx -t | nginx -t | ||
systemctl restart nginx | systemctl restart nginx | ||
| Line 76: | Line 76: | ||
==Permissions Policy== | ==Permissions Policy== | ||
<syntaxhighlight lang= | <syntaxhighlight style='margin:3px 0 3px 0' lang='properties'> | ||
Permissions-Policy: camera=(), microphone=(), geolocation=() | Permissions-Policy: camera=(), microphone=(), geolocation=() | ||
Permissions-Policy: camera=('none'), microphone=('none'), geolocation=('none'), payment=('none') | Permissions-Policy: camera=('none'), microphone=('none'), geolocation=('none'), payment=('none') | ||
| Line 84: | Line 84: | ||
==References== | ==References== | ||
{| | {|class='wikitable' style='width:100%' | ||
| valign= | !scope='col' colspan='3'| | ||
References | |||
|- | |||
|valign='top' style='width:33%'| | |||
* [https://content-security-policy.com/strict-dynamic/ CSP » <code>'strict-dynamic'</code>] | * [https://content-security-policy.com/strict-dynamic/ CSP » <code>'strict-dynamic'</code>] | ||
* [https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src-attr CSP » <code>script-src-attr</code>] | * [https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src-attr CSP » <code>script-src-attr</code>] | ||
| Line 97: | Line 100: | ||
* [https://content-security-policy.com/self/ CSP » <code>'self'</code>] | * [https://content-security-policy.com/self/ CSP » <code>'self'</code>] | ||
| valign= | |valign='top' style='width:34%'| | ||
* [https://stackoverflow.com/questions/59144892/ Cookies » Request to access or storage was blocked] | * [https://stackoverflow.com/questions/59144892/ Cookies » Request to access or storage was blocked] | ||
* [https://www.tinstar.co.uk/studio-blog/some-cookies-are-misusing-the-recommended-samesite-attribute-how-to-fix/ Cookies » Recommended sameSite Attribute] | * [https://www.tinstar.co.uk/studio-blog/some-cookies-are-misusing-the-recommended-samesite-attribute-how-to-fix/ Cookies » Recommended sameSite Attribute] | ||
| Line 109: | Line 112: | ||
* [https://content-security-policy.com/examples/ CSP » Examples] | * [https://content-security-policy.com/examples/ CSP » Examples] | ||
| valign= | |valign='top' style='width:33%'| | ||
* [https://stackoverflow.com/questions/11973047/ CSP » Nginx » Adding & using header] | * [https://stackoverflow.com/questions/11973047/ CSP » Nginx » Adding & using header] | ||
* [https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS/Errors/CORSNotSupportingCredentials CORS » Credential is not supported] | * [https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS/Errors/CORSNotSupportingCredentials CORS » Credential is not supported] | ||
| Line 122: | Line 125: | ||
|- | |- | ||
| colspan= | |colspan='3'| | ||
---- | ---- | ||
|- | |- | ||
| valign= | |valign='top'| | ||
* [https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/X-Frame-Options Header » <code>X-Frame-Options</code>] | * [https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/X-Frame-Options Header » <code>X-Frame-Options</code>] | ||
* [https://www.srihash.org/ SRI » Hash Generator] | * [https://www.srihash.org/ SRI » Hash Generator] | ||
| Line 131: | Line 134: | ||
* [https://owasp.org/www-community/controls/SubresourceIntegrity SRI » Docs » OWASP] | * [https://owasp.org/www-community/controls/SubresourceIntegrity SRI » Docs » OWASP] | ||
| valign= | |valign='top'| | ||
| valign= | |valign='top'| | ||
|- | |- | ||
| colspan= | |colspan='3'| | ||
---- | ---- | ||
|- | |- | ||
| valign= | |valign='top'| | ||
* [https://securityheaders.com/?q=https%3A%2F%2Fpfapply.aeoncredit.com.my&followRedirects=on Scan » CSP » pfapply.aeoncredit.com.my] | * [https://securityheaders.com/?q=https%3A%2F%2Fpfapply.aeoncredit.com.my&followRedirects=on Scan » CSP » pfapply.aeoncredit.com.my] | ||
* [https://securityheaders.com/?q=https%3A%2F%2Fcdn.chorke.org%2Fwiki&followRedirects=on Scan » CSP » cdn.chorke.org/wiki] | * [https://securityheaders.com/?q=https%3A%2F%2Fcdn.chorke.org%2Fwiki&followRedirects=on Scan » CSP » cdn.chorke.org/wiki] | ||
| Line 145: | Line 148: | ||
* [https://securityheaders.com/?q=https%3A%2F%2Fshahed.biz&followRedirects=on Scan » CSP » shahed.biz] | * [https://securityheaders.com/?q=https%3A%2F%2Fshahed.biz&followRedirects=on Scan » CSP » shahed.biz] | ||
| valign= | |valign='top'| | ||
* [https://www.sslshopper.com/ssl-checker.html#hostname=finology-group.com Scan » SSL » finology-group.com] | * [https://www.sslshopper.com/ssl-checker.html#hostname=finology-group.com Scan » SSL » finology-group.com] | ||
* [https://www.sslshopper.com/ssl-checker.html#hostname=shahed.biz Scan » SSL » shahed.biz] | * [https://www.sslshopper.com/ssl-checker.html#hostname=shahed.biz Scan » SSL » shahed.biz] | ||
| valign= | |valign='top'| | ||
|- | |- | ||
| colspan= | |colspan='3'| | ||
---- | ---- | ||
|- | |- | ||
| valign= | |valign='top'| | ||
* [[Homebrew]] | * [[Homebrew]] | ||
* [[ZA Proxy]] | * [[ZA Proxy]] | ||
| Line 167: | Line 170: | ||
* [[Wrk]] | * [[Wrk]] | ||
| valign= | |valign='top'| | ||
* [[JSON Schema Validation]] | * [[JSON Schema Validation]] | ||
* [[Spring Security]] | * [[Spring Security]] | ||
| Line 179: | Line 182: | ||
* [[Java]] | * [[Java]] | ||
| valign= | |valign='top'| | ||
* [[Spring Exception Handling]] | * [[Spring Exception Handling]] | ||
* [[Security/Certificate/TLS|Security » Certificate » TLS]] | * [[Security/Certificate/TLS|Security » Certificate » TLS]] | ||
Revision as of 10:41, 19 December 2025
@Component
@WebFilter(urlPatterns = {"/*"})
public class ResponseHeaderWebFilter implements Filter {
@Override
public void doFilter(
ServletRequest request,
ServletResponse response, FilterChain chain
) throws IOException, ServletException {
HttpServletResponse httpServletResponse = (HttpServletResponse) response;
httpServletResponse.setHeader("Content-Security-Policy", "default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:;");
httpServletResponse.setHeader("Strict-Transport-Security", "max-age=31536000 ; includeSubDomains ; preload");
httpServletResponse.setHeader("Permissions-Policy", "geolocation 'self'; payment 'none'");
httpServletResponse.setHeader("X-Content-Type-Options", "nosniff");
httpServletResponse.setHeader("Referrer-Policy", "strict-origin-when-cross-origin");
httpServletResponse.setHeader("X-Frame-Options", "DENY");
chain.doFilter(request, response);
}
}
Default Sources
private String getDefaultSources() {
String tiktok = "https://analytics.tiktok.com/";
String facebook = "https://www.facebook.com/ https://connect.facebook.net/";
String doubleClick = "https://stats.g.doubleclick.net/ https://11141660.fls.doubleclick.net/ https://googleads.g.doubleclick.net/";
String google = "https://www.google.com/ https://www.google.com.my/ https://analytics.google.com/ https://www.googletagmanager.com/ https://www.google-analytics.com/";
String[] sources = {DEFAULT_SRC, SELF, UNSAFE_INLINE, UNSAFE_EVAL, google, facebook, doubleClick, tiktok, BLOB_DATA};
String defaultSources = String.join(SOURCE_DELIMITER, sources);
return getFilteredSources(defaultSources, DEFAULT_SRC);
}
Content Security Policy
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://ajax.googleapis.com https://ssl.google-analytics.com https://assets.zendesk.com https://connect.facebook.net; img-src 'self' https://ssl.google-analytics.com https://s-static.ak.facebook.com https://assets.zendesk.com; style-src 'self' 'unsafe-inline' https://assets.zendesk.com; font-src 'self' https://fonts.gstatic.com https://themes.googleusercontent.com; frame-src https://player.vimeo.com https://assets.zendesk.com https://www.facebook.com https://s-static.ak.facebook.com https://tautt.zendesk.com; object-src 'none'
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com/ https://www.google.com.my/ https://analytics.google.com/ https://www.googletagmanager.com/ https://www.google-analytics.com/ https://www.facebook.com/ https://connect.facebook.net/ https://stats.g.doubleclick.net/ https://11141660.fls.doubleclick.net/ https://googleads.g.doubleclick.net/ https://analytics.tiktok.com/ data: blob:
Content-Security-Policy: default-src *; style-src 'self' 'unsafe-inline'; font-src 'self' data:; script-src 'self' 'unsafe-inline' 'unsafe-eval' stackexchange.com
Content-Security-Policy: default-src *; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval' http://www.google.com;
content-security-policy: default-src 'self' * 'unsafe-inline' 'unsafe-eval' data: blob:
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:
content-security-policy: default-src * 'unsafe-inline' 'unsafe-eval' data: blob:
Content-Security-Policy: default-src 'self' cdn.chorke.org
Content Security Policy » Nginx
server {
server_name academia.chorke.org;
# …more…
add_header X-Frame-Options "SAMEORIGIN";
add_header Referrer-Policy "same-origin";
add_header X-Content-Type-Options "nosniff";
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
add_header Content-Security-Policy "frame-ancestors https://shahed.biz; default-src * 'unsafe-inline' 'unsafe-eval' data: blob:";
add_header Permissions-Policy "camera=('none'), microphone=('none'), geolocation=('none'), payment=('none')";
# …more…
location / {
return 301 https://academia.chorke.org$request_uri;
}
}
nginx -t
systemctl restart nginx
Permissions Policy
Permissions-Policy: camera=(), microphone=(), geolocation=()
Permissions-Policy: camera=('none'), microphone=('none'), geolocation=('none'), payment=('none')
Permissions-Policy: geolocation=("https://advertiser.example.com" "https://analytics.example.com")
permissions-policy: accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=(), interest-cohort=()