Skip to content

Commit

Permalink
Add security headers when returning static assets
Browse files Browse the repository at this point in the history
  • Loading branch information
@pe4cey
pe4cey committed Mar 20, 2017
1 parent 49b282a commit 8bf650c
Show file tree
Hide file tree
Showing 3 changed files with 11 additions and 7 deletions.
2 changes: 1 addition & 1 deletion community/server/src/main/java/org/neo4j/server/web/Jetty9WebServer.java
View file
Expand Up @@ -483,7 +483,7 @@ private void loadStaticContent( SessionManager sm, String mountPoint )
staticContext.setBaseResource( resource ); staticContext.setBaseResource( resource );


addFiltersTo( staticContext ); addFiltersTo( staticContext );
staticContext.addFilter( new FilterHolder( new NoCacheHtmlFilter() ), "/*", staticContext.addFilter( new FilterHolder( new StaticContentFilter() ), "/*",
EnumSet.of( DispatcherType.REQUEST, DispatcherType.FORWARD ) ); EnumSet.of( DispatcherType.REQUEST, DispatcherType.FORWARD ) );


handlers.addHandler( staticContext ); handlers.addHandler( staticContext );
Expand Down
4 changes: 3 additions & 1 deletion ...g/neo4j/server/web/NoCacheHtmlFilter.java → ...neo4j/server/web/StaticContentFilter.java
View file
Expand Up @@ -29,7 +29,7 @@
import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpServletResponse;


public class NoCacheHtmlFilter implements Filter public class StaticContentFilter implements Filter
{ {
@Override @Override
public void init( FilterConfig filterConfig ) throws ServletException public void init( FilterConfig filterConfig ) throws ServletException
Expand All @@ -45,6 +45,8 @@ public void doFilter( ServletRequest servletRequest, ServletResponse servletResp
if ( request.getServletPath() != null && request.getServletPath().endsWith( ".html" )) if ( request.getServletPath() != null && request.getServletPath().endsWith( ".html" ))
{ {
response.addHeader( "Cache-Control", "no-cache" ); response.addHeader( "Cache-Control", "no-cache" );
response.addHeader( "Content-Security-Policy", "frame-ancestors 'none'" );
response.addHeader( "X-Frame-Options", "DENY" );
} }
filterChain.doFilter( servletRequest, servletResponse); filterChain.doFilter( servletRequest, servletResponse);
} }
Expand Down
12 changes: 7 additions & 5 deletions ...o4j/server/web/NoCacheHtmlFilterTest.java → ...j/server/web/StaticContentFilterTest.java
View file
Expand Up @@ -30,10 +30,10 @@
import static org.mockito.Mockito.verifyZeroInteractions; import static org.mockito.Mockito.verifyZeroInteractions;
import static org.mockito.Mockito.when; import static org.mockito.Mockito.when;


public class NoCacheHtmlFilterTest public class StaticContentFilterTest
{ {
@Test @Test
public void shouldAddCacheControlHeaderToHtmlResponses() throws Exception public void shouldAddStaticContentHeadersToHtmlResponses() throws Exception
{ {
// given // given
HttpServletRequest request = mock(HttpServletRequest.class); HttpServletRequest request = mock(HttpServletRequest.class);
Expand All @@ -42,10 +42,12 @@ public void shouldAddCacheControlHeaderToHtmlResponses() throws Exception
FilterChain filterChain = mock( FilterChain.class ); FilterChain filterChain = mock( FilterChain.class );


// when // when
new NoCacheHtmlFilter().doFilter( request, response, filterChain ); new StaticContentFilter().doFilter( request, response, filterChain );


// then // then
verify( response ).addHeader( "Cache-Control", "no-cache" ); verify( response ).addHeader( "Cache-Control", "no-cache" );
verify( response ).addHeader( "Content-Security-Policy", "frame-ancestors 'none'" );
verify( response ).addHeader( "X-Frame-Options", "DENY" );
verify( filterChain ).doFilter( request, response ); verify( filterChain ).doFilter( request, response );
} }


Expand All @@ -59,7 +61,7 @@ public void shouldPassThroughRequestsForNonHtmlResources() throws Exception
FilterChain filterChain = mock( FilterChain.class ); FilterChain filterChain = mock( FilterChain.class );


// when // when
new NoCacheHtmlFilter().doFilter( request, response, filterChain ); new StaticContentFilter().doFilter( request, response, filterChain );


// then // then
verifyZeroInteractions( response ); verifyZeroInteractions( response );
Expand All @@ -76,7 +78,7 @@ public void shouldPassThroughRequestsWithNullServletPath() throws Exception
FilterChain filterChain = mock( FilterChain.class ); FilterChain filterChain = mock( FilterChain.class );


// when // when
new NoCacheHtmlFilter().doFilter( request, response, filterChain ); new StaticContentFilter().doFilter( request, response, filterChain );


// then // then
verifyZeroInteractions( response ); verifyZeroInteractions( response );
Expand Down

0 comments on commit 8bf650c

Please sign in to comment.