ResponseFilter.java

/**
 * Copyright (c) Codice Foundation
 * <p>
 * This is free software: you can redistribute it and/or modify it under the terms of the GNU Lesser
 * General Public License as published by the Free Software Foundation, either version 3 of the
 * License, or any later version.
 * <p>
 * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
 * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
 * Lesser General Public License for more details. A copy of the GNU Lesser General Public License
 * is distributed along with this program and can be found at
 * <http://www.gnu.org/licenses/lgpl.html>.
 */
package org.codice.ddf.platform.response.filter;

import java.io.IOException;
import java.util.Arrays;
import java.util.List;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletResponse;

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/**
 * Servlet filter that adds security information to the http response header.
 */
public class ResponseFilter implements Filter {

    private static final Logger LOGGER = LoggerFactory.getLogger(ResponseFilter.class);

    public static final String X_XSS_PROTECTION = "X-XSS-Protection";

    public static final String X_FRAME_OPTIONS = "X-Frame-Options";

    public static final String X_CONTENT_SECURITY_POLICY = "X-Content-Security-Policy";

    public static final String CACHE_CONTROL = "Cache-Control";

    public static final String DEFAULT_XSS_PROTECTION_VALUE = "1; mode=block";

    public static final String DEFAULT_X_FRAME_OPTIONS_VALUE = "SAMEORIGIN";

    public static final String DEFAULT_CONTENT_SECURITY_POLICY =
            "default-src 'none'; connect-src 'self'; script-src 'self'; style-src 'self'; img-src 'self'";

    // Arbitrarily chose one week as a reasonable default. 604800 is one week in seconds.
    public static final String DEFAULT_CACHE_CONTROL_VALUE = "private, max-age=604800, immutable";

    private List<String> headers = Arrays.asList(
            X_XSS_PROTECTION + "=" + DEFAULT_XSS_PROTECTION_VALUE,
            X_FRAME_OPTIONS + "=" + DEFAULT_X_FRAME_OPTIONS_VALUE,
            X_CONTENT_SECURITY_POLICY + "=" + DEFAULT_CONTENT_SECURITY_POLICY,
            CACHE_CONTROL + "=" + DEFAULT_CACHE_CONTROL_VALUE);

    @Override
    public void init(FilterConfig filterConfig) throws ServletException {
        LOGGER.debug("Initializing Response Security Filter.");
    }

    @Override
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse,
            FilterChain filterChain) throws IOException, ServletException {
        HttpServletResponse response = (HttpServletResponse) servletResponse;

        for (String header : headers) {
            String[] keyVal = header.split("=", 2);
            if (keyVal.length != 2) {
                LOGGER.debug("Skipping bad header " + header);
                continue;
            }
            response.setHeader(keyVal[0], keyVal[1]);
        }

        filterChain.doFilter(servletRequest, response);
    }

    @Override
    public void destroy() {
        LOGGER.debug("Destroying Response Security Filter.");
    }

    public void setHeaders(List<String> headers) {
        this.headers = headers;
    }
}