Browse Source

Add SameSite cookie and Content Security Policy header

Signed-off-by: Pekka Helenius <fincer89@hotmail.com>
v0.0.4-alpha
Pekka Helenius 4 years ago
parent
commit
a9102319b8
2 changed files with 45 additions and 0 deletions
  1. +6
    -0
      bookstore/src/main/java/com/fjordtek/bookstore/config/WebSecurityConfig.java
  2. +39
    -0
      bookstore/src/main/java/com/fjordtek/bookstore/service/session/BookSameSiteCookieFilter.java

+ 6
- 0
bookstore/src/main/java/com/fjordtek/bookstore/config/WebSecurityConfig.java View File

@ -17,7 +17,9 @@ import org.springframework.security.config.annotation.web.configuration.EnableWe
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
import com.fjordtek.bookstore.service.session.BookSameSiteCookieFilter;
import com.fjordtek.bookstore.service.session.BookStoreAccessDeniedHandler;
import com.fjordtek.bookstore.service.session.BookStoreAuthenticationFailureHandler;
import com.fjordtek.bookstore.service.session.BookStoreAuthenticationSuccessHandler;
@ -119,6 +121,7 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
* public access to it is denied by default.
*/
httpSecurity
.addFilterAfter(new BookSameSiteCookieFilter(), BasicAuthenticationFilter.class)
.authorizeRequests()
.antMatchers(
env.getProperty("spring.h2.console.path") + "/**",
@ -163,6 +166,9 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
.and()
.headers()
.frameOptions().sameOrigin()
// .contentTypeOptions().disable()
.contentSecurityPolicy("frame-ancestors 'self'")
;
}


+ 39
- 0
bookstore/src/main/java/com/fjordtek/bookstore/service/session/BookSameSiteCookieFilter.java View File

@ -0,0 +1,39 @@
//Pekka Helenius <fincer89@hotmail.com>, Fjordtek 2020
package com.fjordtek.bookstore.service.session;
import java.io.IOException;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletResponse;
import org.springframework.web.filter.GenericFilterBean;
/**
*
* @see https://owasp.org/www-community/SameSite
* @see https://docs.microsoft.com/en-us/previous-versions//ms533046%28v=vs.85%29?redirectedfrom=MSDN#protecting-data-with-http-only-cookies
*
* @author Pekka Helenius
*/
public class BookSameSiteCookieFilter extends GenericFilterBean {
@Override
public void doFilter(
ServletRequest requestData,
ServletResponse responseData,
FilterChain chain)
throws IOException, ServletException {
HttpServletResponse httpResponse = (HttpServletResponse) responseData;
httpResponse.setHeader("Set-Cookie", "HttpOnly; SameSite=strict;");
chain.doFilter(requestData, responseData);
}
}

Loading…
Cancel
Save