blob: 0059fcf1d25f8f750cc490363db77dcb40a6dd2b (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
|
// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
package com.yahoo.jdisc.http.filter.security.misc;
import com.yahoo.jdisc.http.filter.DiscFilterResponse;
import com.yahoo.jdisc.http.filter.RequestView;
import com.yahoo.jdisc.http.filter.SecurityResponseFilter;
/**
* Adds recommended security response headers intended for hardening Rest APIs over https.
*
* @author bjorncs
*/
public class SecurityHeadersResponseFilter implements SecurityResponseFilter {
@Override
public void filter(DiscFilterResponse response, RequestView request) {
response.setHeader("Cache-control", "no-store");
response.setHeader("Pragma", "no-cache");
response.setHeader("Strict-Transport-Security", "max-age=31536000; includeSubDomains");
response.setHeader("X-Content-Type-Options", "nosniff");
response.setHeader("X-Frame-Options", "DENY");
response.setHeader("Referrer-Policy", "strict-origin-when-cross-origin");
response.setHeader("Vary", "*");
}
}
|