Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add security headers when returning static assets #8816

Merged
merged 1 commit into from Mar 20, 2017
Merged

Add security headers when returning static assets #8816

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
2 changes: 1 addition & 1 deletion community/server/src/main/java/org/neo4j/server/web/Jetty9WebServer.java
View file
Open in desktop
Expand Up @@ -483,7 +483,7 @@ private void loadStaticContent( SessionManager sm, String mountPoint )
staticContext.setBaseResource( resource );

addFiltersTo( staticContext );
staticContext.addFilter( new FilterHolder( new NoCacheHtmlFilter() ), "/*",
staticContext.addFilter( new FilterHolder( new StaticContentFilter() ), "/*",
EnumSet.of( DispatcherType.REQUEST, DispatcherType.FORWARD ) );

handlers.addHandler( staticContext );
Expand Down
4 changes: 3 additions & 1 deletion ...g/neo4j/server/web/NoCacheHtmlFilter.java → ...neo4j/server/web/StaticContentFilter.java
View file
Open in desktop
Expand Up @@ -29,7 +29,7 @@
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

public class NoCacheHtmlFilter implements Filter
public class StaticContentFilter implements Filter
{
@Override
public void init( FilterConfig filterConfig ) throws ServletException
Expand All @@ -45,6 +45,8 @@ public void doFilter( ServletRequest servletRequest, ServletResponse servletResp
if ( request.getServletPath() != null && request.getServletPath().endsWith( ".html" ))
{
response.addHeader( "Cache-Control", "no-cache" );
response.addHeader( "Content-Security-Policy", "frame-ancestors 'none'" );
response.addHeader( "X-Frame-Options", "DENY" );
}
filterChain.doFilter( servletRequest, servletResponse);
}
Expand Down
12 changes: 7 additions & 5 deletions ...o4j/server/web/NoCacheHtmlFilterTest.java → ...j/server/web/StaticContentFilterTest.java
View file
Open in desktop
Expand Up @@ -30,10 +30,10 @@
import static org.mockito.Mockito.verifyZeroInteractions;
import static org.mockito.Mockito.when;

public class NoCacheHtmlFilterTest
public class StaticContentFilterTest
{
@Test
public void shouldAddCacheControlHeaderToHtmlResponses() throws Exception
public void shouldAddStaticContentHeadersToHtmlResponses() throws Exception
{
// given
HttpServletRequest request = mock(HttpServletRequest.class);
Expand All @@ -42,10 +42,12 @@ public void shouldAddCacheControlHeaderToHtmlResponses() throws Exception
FilterChain filterChain = mock( FilterChain.class );

// when
new NoCacheHtmlFilter().doFilter( request, response, filterChain );
new StaticContentFilter().doFilter( request, response, filterChain );

// then
verify( response ).addHeader( "Cache-Control", "no-cache" );
verify( response ).addHeader( "Content-Security-Policy", "frame-ancestors 'none'" );
verify( response ).addHeader( "X-Frame-Options", "DENY" );
verify( filterChain ).doFilter( request, response );
}

Expand All @@ -59,7 +61,7 @@ public void shouldPassThroughRequestsForNonHtmlResources() throws Exception
FilterChain filterChain = mock( FilterChain.class );

// when
new NoCacheHtmlFilter().doFilter( request, response, filterChain );
new StaticContentFilter().doFilter( request, response, filterChain );

// then
verifyZeroInteractions( response );
Expand All @@ -76,7 +78,7 @@ public void shouldPassThroughRequestsWithNullServletPath() throws Exception
FilterChain filterChain = mock( FilterChain.class );

// when
new NoCacheHtmlFilter().doFilter( request, response, filterChain );
new StaticContentFilter().doFilter( request, response, filterChain );

// then
verifyZeroInteractions( response );
Expand Down