Link Here
|
45 |
private boolean hstsIncludeSubDomains = false; |
45 |
private boolean hstsIncludeSubDomains = false; |
46 |
private String hstsHeaderValue; |
46 |
private String hstsHeaderValue; |
47 |
|
47 |
|
|
|
48 |
// HPKP |
49 |
private static final String HPKP_HEADER_NAME = "Public-Key-Pins"; |
50 |
private static final String HPKP_RO_HEADER_NAME = "Public-Key-Pins-Report-Only"; |
51 |
private boolean hpkpEnabled = false; |
52 |
private boolean hpkpReportOnly = false; |
53 |
private int hpkpMaxAgeSeconds = 0; |
54 |
private boolean hpkpIncludeSubDomains = false; |
55 |
private String hpkpReportUri = null; |
56 |
private String hpkpPins = null; |
57 |
private String hpkpHeaderValue; |
58 |
|
48 |
// Click-jacking protection |
59 |
// Click-jacking protection |
49 |
private static final String ANTI_CLICK_JACKING_HEADER_NAME = "X-Frame-Options"; |
60 |
private static final String ANTI_CLICK_JACKING_HEADER_NAME = "X-Frame-Options"; |
50 |
private boolean antiClickJackingEnabled = true; |
61 |
private boolean antiClickJackingEnabled = true; |
Link Here
|
74 |
} |
85 |
} |
75 |
hstsHeaderValue = hstsValue.toString(); |
86 |
hstsHeaderValue = hstsValue.toString(); |
76 |
|
87 |
|
|
|
88 |
// Build HPKP header value |
89 |
StringBuilder hpkpValue = new StringBuilder("max-age="); |
90 |
hpkpValue.append(hpkpMaxAgeSeconds); |
91 |
if (hpkpIncludeSubDomains) { |
92 |
hpkpValue.append("; includeSubDomains"); |
93 |
} |
94 |
if (hpkpReportUri != null) { |
95 |
hpkpValue.append("; report-uri=\""); |
96 |
hpkpValue.append(hpkpReportUri); |
97 |
hpkpValue.append("\""); |
98 |
} |
99 |
if (hpkpPins != null) { |
100 |
String[] hpkpPinArray = hpkpPins.split(",\\s*"); |
101 |
String hpkpHashType, hpkpHashValue; |
102 |
for (int i = 0; i < hpkpPinArray.length / 2; i++) { |
103 |
hpkpHashType = hpkpPinArray[2 * i]; |
104 |
hpkpHashValue = hpkpPinArray[2 * i + 1]; |
105 |
hpkpValue.append("; pin-"); |
106 |
hpkpValue.append(hpkpHashType); |
107 |
hpkpValue.append(""); |
108 |
hpkpValue.append("=\""); |
109 |
hpkpValue.append(hpkpHashValue); |
110 |
hpkpValue.append("\""); |
111 |
} |
112 |
} |
113 |
hpkpHeaderValue = hpkpValue.toString(); |
114 |
|
77 |
// Anti click-jacking |
115 |
// Anti click-jacking |
78 |
StringBuilder cjValue = new StringBuilder(antiClickJackingOption.headerValue); |
116 |
StringBuilder cjValue = new StringBuilder(antiClickJackingOption.headerValue); |
79 |
if (antiClickJackingOption == XFrameOption.ALLOW_FROM) { |
117 |
if (antiClickJackingOption == XFrameOption.ALLOW_FROM) { |
Link Here
|
100 |
httpResponse.setHeader(HSTS_HEADER_NAME, hstsHeaderValue); |
138 |
httpResponse.setHeader(HSTS_HEADER_NAME, hstsHeaderValue); |
101 |
} |
139 |
} |
102 |
|
140 |
|
|
|
141 |
// HPKP |
142 |
if (hpkpEnabled && request.isSecure()) { |
143 |
if (hpkpReportOnly) { |
144 |
httpResponse.setHeader(HPKP_RO_HEADER_NAME, hpkpHeaderValue); |
145 |
} else { |
146 |
httpResponse.setHeader(HPKP_HEADER_NAME, hpkpHeaderValue); |
147 |
} |
148 |
} |
149 |
|
103 |
// anti click-jacking |
150 |
// anti click-jacking |
104 |
if (antiClickJackingEnabled) { |
151 |
if (antiClickJackingEnabled) { |
105 |
httpResponse.setHeader(ANTI_CLICK_JACKING_HEADER_NAME, antiClickJackingHeaderValue); |
152 |
httpResponse.setHeader(ANTI_CLICK_JACKING_HEADER_NAME, antiClickJackingHeaderValue); |
Link Here
|
169 |
} |
216 |
} |
170 |
|
217 |
|
171 |
|
218 |
|
|
|
219 |
public boolean isHpkpEnabled() { |
220 |
return hpkpEnabled; |
221 |
} |
172 |
|
222 |
|
|
|
223 |
|
224 |
public void setHpkpEnabled(boolean hpkpEnabled) { |
225 |
this.hpkpEnabled = hpkpEnabled; |
226 |
} |
227 |
|
228 |
|
229 |
public boolean isHpkpReportOnly() { |
230 |
return hpkpReportOnly; |
231 |
} |
232 |
|
233 |
|
234 |
public void setHpkpReportOnly(boolean hpkpReportOnly) { |
235 |
this.hpkpReportOnly = hpkpReportOnly; |
236 |
} |
237 |
|
238 |
|
239 |
public int getHpkpMaxAgeSeconds() { |
240 |
return hpkpMaxAgeSeconds; |
241 |
} |
242 |
|
243 |
|
244 |
public void setHpkpMaxAgeSeconds(int hpkpMaxAgeSeconds) { |
245 |
if (hpkpMaxAgeSeconds < 0) { |
246 |
this.hpkpMaxAgeSeconds = 0; |
247 |
} else { |
248 |
this.hpkpMaxAgeSeconds = hpkpMaxAgeSeconds; |
249 |
} |
250 |
} |
251 |
|
252 |
|
253 |
public boolean isHpkpIncludeSubDomains() { |
254 |
return hpkpIncludeSubDomains; |
255 |
} |
256 |
|
257 |
|
258 |
public void setHpkpIncludeSubDomains(boolean hpkpIncludeSubDomains) { |
259 |
this.hpkpIncludeSubDomains = hpkpIncludeSubDomains; |
260 |
} |
261 |
|
262 |
|
263 |
public String getHpkpReportUri() { |
264 |
return this.hpkpReportUri; |
265 |
} |
266 |
|
267 |
|
268 |
public void setHpkpReportUri(String hpkpReportUri) { |
269 |
this.hpkpReportUri = hpkpReportUri; |
270 |
} |
271 |
|
272 |
|
273 |
public String getHpkpPins() { |
274 |
return this.hpkpPins; |
275 |
} |
276 |
|
277 |
|
278 |
public void setHpkpPins(String hpkpPins) { |
279 |
this.hpkpPins = hpkpPins; |
280 |
} |
281 |
|
282 |
|
173 |
public boolean isAntiClickJackingEnabled() { |
283 |
public boolean isAntiClickJackingEnabled() { |
174 |
return antiClickJackingEnabled; |
284 |
return antiClickJackingEnabled; |
175 |
} |
285 |
} |