diff options
| author |  Kristóf Marussy <kristof@marussy.com> | 2022-10-08 20:51:20 +0200 |
|---|---|---|
| committer | Kristóf Marussy <kristof@marussy.com> | 2022-11-05 19:41:16 +0100 |
| commit | 681439bfbf3311efeb05f8732f4742cd180d3941 (patch) | |
| tree | d84f889e1be53a44818b9f02b63d8bc3548278b3 /subprojects/language-web/src/main/java | |
| parent | refactor(frontend): improve HMR experience (diff) | |
| download | refinery-681439bfbf3311efeb05f8732f4742cd180d3941.tar.gz refinery-681439bfbf3311efeb05f8732f4742cd180d3941.tar.zst refinery-681439bfbf3311efeb05f8732f4742cd180d3941.zip | |
refactor(frontend): tighten security headers
Diffstat (limited to 'subprojects/language-web/src/main/java')
| -rw-r--r-- | subprojects/language-web/src/main/java/tools/refinery/language/web/SecurityHeadersFilter.java | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/subprojects/language-web/src/main/java/tools/refinery/language/web/SecurityHeadersFilter.java b/subprojects/language-web/src/main/java/tools/refinery/language/web/SecurityHeadersFilter.java index 40dd7ee5..c41db799 100644 --- a/subprojects/language-web/src/main/java/tools/refinery/language/web/SecurityHeadersFilter.java +++ b/subprojects/language-web/src/main/java/tools/refinery/language/web/SecurityHeadersFilter.java | |||
| @@ -10,14 +10,17 @@ public class SecurityHeadersFilter implements Filter { | |||
| 10 | public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, | 10 | public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, |
| 11 | ServletException { | 11 | ServletException { |
| 12 | if (response instanceof HttpServletResponse httpResponse) { | 12 | if (response instanceof HttpServletResponse httpResponse) { |
| 13 | httpResponse.setHeader("Content-Security-Policy", "default-src 'self'; " + | 13 | httpResponse.setHeader("Content-Security-Policy", "default-src 'none'; " + |
| 14 | "script-src 'self'; " + | ||
| 14 | // CodeMirror needs inline styles, see e.g., | 15 | // CodeMirror needs inline styles, see e.g., |
| 15 | // https://discuss.codemirror.net/t/inline-styles-and-content-security-policy/1311/2 | 16 | // https://discuss.codemirror.net/t/inline-styles-and-content-security-policy/1311/2 |
| 16 | "style-src 'self' 'unsafe-inline'; " + | 17 | "style-src 'self' 'unsafe-inline'; " + |
| 17 | // Use 'data:' for displaying inline SVG backgrounds. | 18 | // Use 'data:' for displaying inline SVG backgrounds. |
| 18 | "img-src 'self' data:; " + | 19 | "img-src 'self' data:; " + |
| 19 | "object-src 'none'; " + | 20 | "font-src 'self'; " + |
| 20 | "base-uri 'none';"); | 21 | "connect-src 'self'; " + |
| 22 | "manifest-src 'self'; " + | ||
| 23 | "worker-src 'self';"); | ||
| 21 | httpResponse.setHeader("X-Content-Type-Options", "nosniff"); | 24 | httpResponse.setHeader("X-Content-Type-Options", "nosniff"); |
| 22 | httpResponse.setHeader("X-Frame-Options", "DENY"); | 25 | httpResponse.setHeader("X-Frame-Options", "DENY"); |
| 23 | httpResponse.setHeader("Referrer-Policy", "strict-origin"); | 26 | httpResponse.setHeader("Referrer-Policy", "strict-origin"); |