Link Here
|
45 |
private boolean hstsIncludeSubDomains = false; |
45 |
private boolean hstsIncludeSubDomains = false; |
46 |
private String hstsHeaderValue; |
46 |
private String hstsHeaderValue; |
47 |
|
47 |
|
|
|
48 |
// HPKP |
49 |
private static final String HPKP_HEADER_NAME = "Public-Key-Pins"; |
50 |
private static final String HPKP_RO_HEADER_NAME = "Public-Key-Pins-Report-Only"; |
51 |
private HpkpEnabled hpkpEnabled = HpkpEnabled.FALSE; |
52 |
private int hpkpMaxAgeSeconds = 0; |
53 |
private boolean hpkpIncludeSubDomains = false; |
54 |
private String hpkpReportUri = null; |
55 |
private String hpkpPins = null; |
56 |
private String hpkpHeaderValue; |
57 |
|
48 |
// Click-jacking protection |
58 |
// Click-jacking protection |
49 |
private static final String ANTI_CLICK_JACKING_HEADER_NAME = "X-Frame-Options"; |
59 |
private static final String ANTI_CLICK_JACKING_HEADER_NAME = "X-Frame-Options"; |
50 |
private boolean antiClickJackingEnabled = true; |
60 |
private boolean antiClickJackingEnabled = true; |
Link Here
|
74 |
} |
84 |
} |
75 |
hstsHeaderValue = hstsValue.toString(); |
85 |
hstsHeaderValue = hstsValue.toString(); |
76 |
|
86 |
|
|
|
87 |
// Build HPKP header value |
88 |
StringBuilder hpkpValue = new StringBuilder("max-age="); |
89 |
hpkpValue.append(hpkpMaxAgeSeconds); |
90 |
if (hpkpIncludeSubDomains) { |
91 |
hpkpValue.append("; includeSubDomains"); |
92 |
} |
93 |
if (hpkpReportUri != null) { |
94 |
hpkpValue.append("; report-uri=\""); |
95 |
hpkpValue.append(hpkpReportUri); |
96 |
hpkpValue.append("\""); |
97 |
} |
98 |
if (hpkpPins != null) { |
99 |
String[] hpkpPinArray = hpkpPins.split(",\\s*"); |
100 |
String hpkpHashType, hpkpHashValue; |
101 |
for (int i = 0; i < hpkpPinArray.length / 2; i++) { |
102 |
hpkpHashType = hpkpPinArray[2 * i]; |
103 |
hpkpHashValue = hpkpPinArray[2 * i + 1]; |
104 |
hpkpValue.append("; pin-"); |
105 |
hpkpValue.append(hpkpHashType); |
106 |
hpkpValue.append(""); |
107 |
hpkpValue.append("=\""); |
108 |
hpkpValue.append(hpkpHashValue); |
109 |
hpkpValue.append("\""); |
110 |
} |
111 |
} |
112 |
hpkpHeaderValue = hpkpValue.toString(); |
113 |
|
77 |
// Anti click-jacking |
114 |
// Anti click-jacking |
78 |
StringBuilder cjValue = new StringBuilder(antiClickJackingOption.headerValue); |
115 |
StringBuilder cjValue = new StringBuilder(antiClickJackingOption.headerValue); |
79 |
if (antiClickJackingOption == XFrameOption.ALLOW_FROM) { |
116 |
if (antiClickJackingOption == XFrameOption.ALLOW_FROM) { |
Link Here
|
95 |
throw new ServletException(sm.getString("httpHeaderSecurityFilter.committed")); |
132 |
throw new ServletException(sm.getString("httpHeaderSecurityFilter.committed")); |
96 |
} |
133 |
} |
97 |
|
134 |
|
98 |
// HSTS |
135 |
if(request.isSecure()) { |
99 |
if (hstsEnabled && request.isSecure()) { |
136 |
// HSTS |
100 |
httpResponse.setHeader(HSTS_HEADER_NAME, hstsHeaderValue); |
137 |
if (hstsEnabled) { |
|
|
138 |
httpResponse.setHeader(HSTS_HEADER_NAME, hstsHeaderValue); |
139 |
} |
140 |
|
141 |
// HPKP |
142 |
if (hpkpEnabled == HpkpEnabled.REPORT_ONLY) { |
143 |
httpResponse.setHeader(HPKP_RO_HEADER_NAME, hpkpHeaderValue); |
144 |
} else if (hpkpEnabled == HpkpEnabled.TRUE) { |
145 |
httpResponse.setHeader(HPKP_HEADER_NAME, hpkpHeaderValue); |
146 |
} |
101 |
} |
147 |
} |
102 |
|
148 |
|
103 |
// anti click-jacking |
149 |
// anti click-jacking |
Link Here
|
169 |
} |
215 |
} |
170 |
|
216 |
|
171 |
|
217 |
|
|
|
218 |
public HpkpEnabled getHpkpEnabled() { |
219 |
return hpkpEnabled; |
220 |
} |
172 |
|
221 |
|
|
|
222 |
|
223 |
public void setHpkpEnabled(String hpkpEnabled){ |
224 |
this.hpkpEnabled = HpkpEnabled.parse(hpkpEnabled); |
225 |
} |
226 |
|
227 |
|
228 |
public int getHpkpMaxAgeSeconds() { |
229 |
return hpkpMaxAgeSeconds; |
230 |
} |
231 |
|
232 |
|
233 |
public void setHpkpMaxAgeSeconds(int hpkpMaxAgeSeconds) { |
234 |
if (hpkpMaxAgeSeconds < 0) { |
235 |
this.hpkpMaxAgeSeconds = 0; |
236 |
} else { |
237 |
this.hpkpMaxAgeSeconds = hpkpMaxAgeSeconds; |
238 |
} |
239 |
} |
240 |
|
241 |
|
242 |
public boolean isHpkpIncludeSubDomains() { |
243 |
return hpkpIncludeSubDomains; |
244 |
} |
245 |
|
246 |
|
247 |
public void setHpkpIncludeSubDomains(boolean hpkpIncludeSubDomains) { |
248 |
this.hpkpIncludeSubDomains = hpkpIncludeSubDomains; |
249 |
} |
250 |
|
251 |
|
252 |
public String getHpkpReportUri() { |
253 |
return this.hpkpReportUri; |
254 |
} |
255 |
|
256 |
|
257 |
public void setHpkpReportUri(String hpkpReportUri) { |
258 |
this.hpkpReportUri = hpkpReportUri; |
259 |
} |
260 |
|
261 |
|
262 |
public String getHpkpPins() { |
263 |
return this.hpkpPins; |
264 |
} |
265 |
|
266 |
|
267 |
public void setHpkpPins(String hpkpPins) { |
268 |
this.hpkpPins = hpkpPins; |
269 |
} |
270 |
|
271 |
|
173 |
public boolean isAntiClickJackingEnabled() { |
272 |
public boolean isAntiClickJackingEnabled() { |
174 |
return antiClickJackingEnabled; |
273 |
return antiClickJackingEnabled; |
175 |
} |
274 |
} |
Link Here
|
199 |
} |
298 |
} |
200 |
|
299 |
|
201 |
|
300 |
|
202 |
|
|
|
203 |
public String getAntiClickJackingUri() { |
301 |
public String getAntiClickJackingUri() { |
204 |
return antiClickJackingUri.toString(); |
302 |
return antiClickJackingUri.toString(); |
205 |
} |
303 |
} |
Link Here
|
250 |
return headerValue; |
348 |
return headerValue; |
251 |
} |
349 |
} |
252 |
} |
350 |
} |
|
|
351 |
|
352 |
private enum HpkpEnabled { |
353 |
TRUE, |
354 |
FALSE, |
355 |
REPORT_ONLY; |
356 |
|
357 |
public static HpkpEnabled parse(String value){ |
358 |
switch(value.toLowerCase()){ |
359 |
case "true" : |
360 |
return TRUE; |
361 |
case "false" : |
362 |
return FALSE; |
363 |
case "reportonly" : |
364 |
return REPORT_ONLY; |
365 |
default: |
366 |
throw new IllegalArgumentException(sm.getString( |
367 |
"httpHeaderSecurityFilter.hpkpenabled.invalid", value)); |
368 |
} |
369 |
} |
370 |
} |
253 |
} |
371 |
} |