From a9102319b8b1e00439d4f7ade542000d0d924620 Mon Sep 17 00:00:00 2001
From: Pekka Helenius <fincer89@hotmail.com>
Date: Sat, 10 Oct 2020 12:03:26 +0300
Subject: [PATCH] Add SameSite cookie and Content Security Policy header

Signed-off-by: Pekka Helenius <fincer89@hotmail.com>
---
 .../bookstore/config/WebSecurityConfig.java   |  6 +++
 .../session/BookSameSiteCookieFilter.java     | 39 +++++++++++++++++++
 2 files changed, 45 insertions(+)
 create mode 100644 bookstore/src/main/java/com/fjordtek/bookstore/service/session/BookSameSiteCookieFilter.java

diff --git a/bookstore/src/main/java/com/fjordtek/bookstore/config/WebSecurityConfig.java b/bookstore/src/main/java/com/fjordtek/bookstore/config/WebSecurityConfig.java
index 1325237..ccd45e3 100644
--- a/bookstore/src/main/java/com/fjordtek/bookstore/config/WebSecurityConfig.java
+++ b/bookstore/src/main/java/com/fjordtek/bookstore/config/WebSecurityConfig.java
@@ -17,7 +17,9 @@ import org.springframework.security.config.annotation.web.configuration.EnableWe
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.config.http.SessionCreationPolicy;
 import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
+import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
 
+import com.fjordtek.bookstore.service.session.BookSameSiteCookieFilter;
 import com.fjordtek.bookstore.service.session.BookStoreAccessDeniedHandler;
 import com.fjordtek.bookstore.service.session.BookStoreAuthenticationFailureHandler;
 import com.fjordtek.bookstore.service.session.BookStoreAuthenticationSuccessHandler;
@@ -119,6 +121,7 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
 			 *  public access to it is denied by default.
 			 */
 			httpSecurity
+			.addFilterAfter(new BookSameSiteCookieFilter(), BasicAuthenticationFilter.class)
 			.authorizeRequests()
 				.antMatchers(
 					env.getProperty("spring.h2.console.path")    + "/**",
@@ -163,6 +166,9 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
 			.and()
 				.headers()
 					.frameOptions().sameOrigin()
+//					.contentTypeOptions().disable()
+					.contentSecurityPolicy("frame-ancestors 'self'")
+
 			;
 
 		}
diff --git a/bookstore/src/main/java/com/fjordtek/bookstore/service/session/BookSameSiteCookieFilter.java b/bookstore/src/main/java/com/fjordtek/bookstore/service/session/BookSameSiteCookieFilter.java
new file mode 100644
index 0000000..07bfd5a
--- /dev/null
+++ b/bookstore/src/main/java/com/fjordtek/bookstore/service/session/BookSameSiteCookieFilter.java
@@ -0,0 +1,39 @@
+//Pekka Helenius <fincer89@hotmail.com>, Fjordtek 2020
+
+package com.fjordtek.bookstore.service.session;
+
+import java.io.IOException;
+
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletResponse;
+
+import org.springframework.web.filter.GenericFilterBean;
+
+/**
+ *
+ * @see https://owasp.org/www-community/SameSite
+ * @see https://docs.microsoft.com/en-us/previous-versions//ms533046%28v=vs.85%29?redirectedfrom=MSDN#protecting-data-with-http-only-cookies
+ *
+ * @author Pekka Helenius
+ */
+
+public class BookSameSiteCookieFilter extends GenericFilterBean {
+
+	@Override
+	public void doFilter(
+			ServletRequest requestData,
+			ServletResponse responseData,
+			FilterChain chain)
+			throws IOException, ServletException {
+
+			HttpServletResponse httpResponse = (HttpServletResponse) responseData;
+			httpResponse.setHeader("Set-Cookie", "HttpOnly; SameSite=strict;");
+			chain.doFilter(requestData, responseData);
+
+	}
+
+
+}
\ No newline at end of file