| |
| Since Mozilla released their site to check if web pages have security issues named https://observatory.mozilla.org[Mozilla Observatory] |
| a few things which can be done to get a high grade within this ranking without using further frameworks. |
| |
| Add a request cycle listener to your web application and adjust the headers to fit your requirements: |
| [source,java] |
| ---- |
| @Override |
| protected void init() |
| { |
| super.init(); |
| |
| getRequestCycleListeners().add(new IRequestCycleListener(){ |
| |
| @Override |
| public void onEndRequest(RequestCycle cycle) |
| { |
| WebResponse response = (WebResponse) cycle.getResponse(); |
| response.setHeader("X-XSS-Protection", "1; mode=block"); |
| response.setHeader("Strict-Transport-Security", "max-age=31536000; includeSubDomains; preload"); |
| response.setHeader("X-Content-Type-Options", "nosniff"); |
| response.setHeader("X-Frame-Options", "sameorigin"); |
| response.setHeader("Content-Security-Policy", "default-src https:"); |
| } |
| }); |
| } |
| ---- |
| |
| Add this configuration to your web.xml (or let your server redirect to https): |
| [source,xml] |
| ---- |
| <?xml version="1.0" encoding="UTF-8"?> |
| <security-constraint> |
| <web-resource-collection> |
| <web-resource-name>Entire Application</web-resource-name> |
| <url-pattern>/*</url-pattern> |
| </web-resource-collection> |
| <user-data-constraint> |
| <transport-guarantee>CONFIDENTIAL</transport-guarantee> |
| </user-data-constraint> |
| </security-constraint> |
| ---- |
| |
| After this changes you have to check if your web application continues to work because it fits the requirements given with these headers. For example that resources could not be requested from other domains anymore. |
| |
