ResponseHeaderHandlerInterceptor.java

/**
 * Most of the code in the Qalingo project is copyrighted Hoteia and licensed
 * under the Apache License Version 2.0 (release version 0.8.0)
 *         http://www.apache.org/licenses/LICENSE-2.0
 *
 *                   Copyright (c) Hoteia, 2012-2014
 * http://www.hoteia.com - http://twitter.com/hoteia - contact@hoteia.com
 *
 */
package org.hoteia.qalingo.core.web.mvc.interceptor;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.hoteia.qalingo.core.web.util.RequestUtil;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.servlet.HandlerInterceptor;
import org.springframework.web.servlet.ModelAndView;

public class ResponseHeaderHandlerInterceptor implements HandlerInterceptor {

    private final Logger logger = LoggerFactory.getLogger(getClass());

    @Autowired
    protected RequestUtil requestUtil;
    
    @Override
    public boolean preHandle(HttpServletRequest request, 
                             HttpServletResponse response, Object handler) throws Exception {
        try {

            // https://www.owasp.org/index.php/Content_Security_Policy
            
            // HTTP "Content-Security-Policy" (CSP)
            String policy = "default-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval' *.kxcdn.com *.sumome.com *.google-analytics.com *.googleapis.com *.gstatic.com *.google.com *.pingdom.net *.addthisedge.com *.addthis.com; connect-src 'self' sumome.com *.sumome.com *.addthis.com *.googleapis.com; img-src 'self' data: *.sumome.com *.pingdom.net *.gstatic.com *.google.com *.google-analytics.com *.googleapis.com; child-src 'self' *.addthis.com; style-src 'self' 'unsafe-inline' *.kxcdn.com *.googleapis.com; font-src 'self' *.gstatic.com";
            // Chrome
            response.addHeader("Content-Security-Policy", policy);
            // Safari
            response.addHeader("X-WebKit-CSP", policy);
            // Firefox, IE
            response.addHeader("X-Content-Security-Policy", policy);

            response.addHeader("Access-Control-Allow-Origin", "*.addthis.com *.sumome.com");

            // HTTP "X-Frame-Options"
//          response.addHeader("X-Frame-Options", "DENY");
            
            // HTTP "X-Frame-Options"
            response.addHeader("X-XSS-Protection", "1; mode=block");
            
            // HTTP "X-Content-Type-Options"
            response.addHeader("X-Content-Type-Options", "nosniff");
            
            // HTTP Caches
            // No cache html
//            if("http".equalsIgnoreCase(request.getScheme())){
//                response.addHeader("Cache-Control", "public, max-age=86400, must-revalidate"); // 86400 1 jour
//                // response.addHeader("Expires", "Mon, 25 Jun 2012 21:31:12 GMT");
//            }
            
        } catch (Exception e) {
            logger.error("addClickstream failed", e);
        }
        return true;
    }

    @Override
    public void afterCompletion(HttpServletRequest request, HttpServletResponse response, 
                                Object handler, Exception exception) throws Exception {
    }

    @Override
    public void postHandle(HttpServletRequest request, HttpServletResponse response, 
                           Object handler, ModelAndView modelAndView) throws Exception {
    }

}