Skip to content

Commit

Permalink
Add security headers when returning static assets
Browse files Browse the repository at this point in the history
  • Loading branch information
@pe4cey
pe4cey committed Mar 20, 2017
1 parent 49b282a commit 8bf650c
Show file tree
Hide file tree
Showing 3 changed files with 11 additions and 7 deletions.
2 changes: 1 addition & 1 deletion community/server/src/main/java/org/neo4j/server/web/Jetty9WebServer.java
View file
Expand Up @@ -483,7 +483,7 @@ private void loadStaticContent( SessionManager sm, String mountPoint )
staticContext.setBaseResource( resource );

addFiltersTo( staticContext );
staticContext.addFilter( new FilterHolder( new NoCacheHtmlFilter() ), "/*",
staticContext.addFilter( new FilterHolder( new StaticContentFilter() ), "/*",
EnumSet.of( DispatcherType.REQUEST, DispatcherType.FORWARD ) );

handlers.addHandler( staticContext );
Expand Down
4 changes: 3 additions & 1 deletion ...g/neo4j/server/web/NoCacheHtmlFilter.java → ...neo4j/server/web/StaticContentFilter.java
View file
Expand Up @@ -29,7 +29,7 @@
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

public class NoCacheHtmlFilter implements Filter
public class StaticContentFilter implements Filter
{
@Override
public void init( FilterConfig filterConfig ) throws ServletException
Expand All @@ -45,6 +45,8 @@ public void doFilter( ServletRequest servletRequest, ServletResponse servletResp
if ( request.getServletPath() != null && request.getServletPath().endsWith( ".html" ))
{
response.addHeader( "Cache-Control", "no-cache" );
response.addHeader( "Content-Security-Policy", "frame-ancestors 'none'" );
response.addHeader( "X-Frame-Options", "DENY" );
}
filterChain.doFilter( servletRequest, servletResponse);
}
Expand Down
12 changes: 7 additions & 5 deletions ...o4j/server/web/NoCacheHtmlFilterTest.java → ...j/server/web/StaticContentFilterTest.java
View file
Expand Up @@ -30,10 +30,10 @@
import static org.mockito.Mockito.verifyZeroInteractions;
import static org.mockito.Mockito.when;

public class NoCacheHtmlFilterTest
public class StaticContentFilterTest
{
@Test
public void shouldAddCacheControlHeaderToHtmlResponses() throws Exception
public void shouldAddStaticContentHeadersToHtmlResponses() throws Exception
{
// given
HttpServletRequest request = mock(HttpServletRequest.class);
Expand All @@ -42,10 +42,12 @@ public void shouldAddCacheControlHeaderToHtmlResponses() throws Exception
FilterChain filterChain = mock( FilterChain.class );

// when
new NoCacheHtmlFilter().doFilter( request, response, filterChain );
new StaticContentFilter().doFilter( request, response, filterChain );

// then
verify( response ).addHeader( "Cache-Control", "no-cache" );
verify( response ).addHeader( "Content-Security-Policy", "frame-ancestors 'none'" );
verify( response ).addHeader( "X-Frame-Options", "DENY" );
verify( filterChain ).doFilter( request, response );
}

Expand All @@ -59,7 +61,7 @@ public void shouldPassThroughRequestsForNonHtmlResources() throws Exception
FilterChain filterChain = mock( FilterChain.class );

// when
new NoCacheHtmlFilter().doFilter( request, response, filterChain );
new StaticContentFilter().doFilter( request, response, filterChain );

// then
verifyZeroInteractions( response );
Expand All @@ -76,7 +78,7 @@ public void shouldPassThroughRequestsWithNullServletPath() throws Exception
FilterChain filterChain = mock( FilterChain.class );

// when
new NoCacheHtmlFilter().doFilter( request, response, filterChain );
new StaticContentFilter().doFilter( request, response, filterChain );

// then
verifyZeroInteractions( response );
Expand Down

0 comments on commit 8bf650c

Please sign in to comment.