diff options
author | Kristóf Marussy <kristof@marussy.com> | 2022-10-08 20:51:20 +0200 |
---|---|---|
committer | Kristóf Marussy <kristof@marussy.com> | 2022-11-05 19:41:16 +0100 |
commit | 681439bfbf3311efeb05f8732f4742cd180d3941 (patch) | |
tree | d84f889e1be53a44818b9f02b63d8bc3548278b3 /subprojects/language-web/src/main | |
parent | refactor(frontend): improve HMR experience (diff) | |
download | refinery-681439bfbf3311efeb05f8732f4742cd180d3941.tar.gz refinery-681439bfbf3311efeb05f8732f4742cd180d3941.tar.zst refinery-681439bfbf3311efeb05f8732f4742cd180d3941.zip |
refactor(frontend): tighten security headers
Diffstat (limited to 'subprojects/language-web/src/main')
-rw-r--r-- | subprojects/language-web/src/main/java/tools/refinery/language/web/SecurityHeadersFilter.java | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/subprojects/language-web/src/main/java/tools/refinery/language/web/SecurityHeadersFilter.java b/subprojects/language-web/src/main/java/tools/refinery/language/web/SecurityHeadersFilter.java index 40dd7ee5..c41db799 100644 --- a/subprojects/language-web/src/main/java/tools/refinery/language/web/SecurityHeadersFilter.java +++ b/subprojects/language-web/src/main/java/tools/refinery/language/web/SecurityHeadersFilter.java | |||
@@ -10,14 +10,17 @@ public class SecurityHeadersFilter implements Filter { | |||
10 | public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, | 10 | public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, |
11 | ServletException { | 11 | ServletException { |
12 | if (response instanceof HttpServletResponse httpResponse) { | 12 | if (response instanceof HttpServletResponse httpResponse) { |
13 | httpResponse.setHeader("Content-Security-Policy", "default-src 'self'; " + | 13 | httpResponse.setHeader("Content-Security-Policy", "default-src 'none'; " + |
14 | "script-src 'self'; " + | ||
14 | // CodeMirror needs inline styles, see e.g., | 15 | // CodeMirror needs inline styles, see e.g., |
15 | // https://discuss.codemirror.net/t/inline-styles-and-content-security-policy/1311/2 | 16 | // https://discuss.codemirror.net/t/inline-styles-and-content-security-policy/1311/2 |
16 | "style-src 'self' 'unsafe-inline'; " + | 17 | "style-src 'self' 'unsafe-inline'; " + |
17 | // Use 'data:' for displaying inline SVG backgrounds. | 18 | // Use 'data:' for displaying inline SVG backgrounds. |
18 | "img-src 'self' data:; " + | 19 | "img-src 'self' data:; " + |
19 | "object-src 'none'; " + | 20 | "font-src 'self'; " + |
20 | "base-uri 'none';"); | 21 | "connect-src 'self'; " + |
22 | "manifest-src 'self'; " + | ||
23 | "worker-src 'self';"); | ||
21 | httpResponse.setHeader("X-Content-Type-Options", "nosniff"); | 24 | httpResponse.setHeader("X-Content-Type-Options", "nosniff"); |
22 | httpResponse.setHeader("X-Frame-Options", "DENY"); | 25 | httpResponse.setHeader("X-Frame-Options", "DENY"); |
23 | httpResponse.setHeader("Referrer-Policy", "strict-origin"); | 26 | httpResponse.setHeader("Referrer-Policy", "strict-origin"); |