forked from jhipster/generator-jhipster-micronaut
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
close jhipster#124
- Loading branch information
Showing
5 changed files
with
117 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
29 changes: 29 additions & 0 deletions
29
generators/heroku/templates/StrictTransportSecurityHeaderFilter.java.ejs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
package <%=packageName%>.security; | ||
|
||
import io.micronaut.context.annotation.Requires; | ||
import io.micronaut.context.env.Environment; | ||
import io.micronaut.core.async.publisher.Publishers; | ||
import io.micronaut.http.HttpRequest; | ||
import io.micronaut.http.MutableHttpResponse; | ||
import io.micronaut.http.annotation.Filter; | ||
import io.micronaut.http.filter.OncePerRequestHttpServerFilter; | ||
import io.micronaut.http.filter.ServerFilterChain; | ||
import org.reactivestreams.Publisher; | ||
|
||
import static io.micronaut.http.annotation.Filter.MATCH_ALL_PATTERN; | ||
|
||
@Filter(patterns = {MATCH_ALL_PATTERN}) | ||
@Requires(env = Environment.HEROKU) | ||
public class StrictTransportSecurityHeaderFilter extends OncePerRequestHttpServerFilter { | ||
|
||
private static final String STRICT_TRANSPORT_SECURITY_HEADER = "Strict-Transport-Security"; | ||
|
||
@Override | ||
protected Publisher<MutableHttpResponse<?>> doFilterOnce(HttpRequest<?> request, ServerFilterChain chain) { | ||
|
||
return Publishers.map(chain.proceed(request), mutableHttpResponse -> { | ||
mutableHttpResponse.header(STRICT_TRANSPORT_SECURITY_HEADER, "max-age=31536000; includeSubDomains"); | ||
return mutableHttpResponse; | ||
}); | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
44 changes: 44 additions & 0 deletions
44
generators/server/templates/src/main/java/package/security/SecurityHeaderFilter.java.ejs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,44 @@ | ||
package <%=packageName%>.security; | ||
|
||
import io.micronaut.core.async.publisher.Publishers; | ||
import io.micronaut.http.HttpRequest; | ||
import io.micronaut.http.MutableHttpResponse; | ||
import io.micronaut.http.annotation.Filter; | ||
import io.micronaut.http.filter.OncePerRequestHttpServerFilter; | ||
import io.micronaut.http.filter.ServerFilterChain; | ||
import org.reactivestreams.Publisher; | ||
|
||
import static io.micronaut.http.annotation.Filter.MATCH_ALL_PATTERN; | ||
|
||
@Filter(patterns = {MATCH_ALL_PATTERN}) | ||
public class SecurityHeaderFilter extends OncePerRequestHttpServerFilter { | ||
|
||
private static final String X_FRAME_OPTIONS_HEADER = "X-Frame-Options"; | ||
private static final String X_CONTENT_TYPE_OPTIONS_HEADER = "X-Content-Type-Options"; | ||
private static final String X_XSS_PROTECTION_HEADER = "X-XSS-Protection"; | ||
private static final String REFERRER_POLICY_HEADER = "Referrer-Policy"; | ||
private static final String FEATURE_POLICY_HEADER = "Feature-Policy"; | ||
private static final String CONTENT_SECURITY_POLICY_HEADER = "Content-Security-Policy"; | ||
|
||
@Override | ||
protected Publisher<MutableHttpResponse<?>> doFilterOnce(HttpRequest<?> request, ServerFilterChain chain) { | ||
|
||
return Publishers.map(chain.proceed(request), mutableHttpResponse -> { | ||
addSecurityHeaders(mutableHttpResponse); | ||
return mutableHttpResponse; | ||
}); | ||
} | ||
|
||
protected void addSecurityHeaders(MutableHttpResponse<?> response) { | ||
response.header(X_FRAME_OPTIONS_HEADER, "DENY"); | ||
response.header(X_CONTENT_TYPE_OPTIONS_HEADER, "nosniff"); | ||
response.header(X_XSS_PROTECTION_HEADER, "1; mode=block"); | ||
response.header(REFERRER_POLICY_HEADER, "strict-origin-when-cross-origin"); | ||
response.header(FEATURE_POLICY_HEADER, "geolocation 'none'; midi 'none'; sync-xhr 'none'; microphone 'none'; camera 'none'; magnetometer 'none'; gyroscope 'none'; speaker 'none'; fullscreen 'self'; payment 'none'"); | ||
<%_ if (clientTheme !== 'none') { _%> | ||
response.header(CONTENT_SECURITY_POLICY_HEADER, "default-src 'self'; frame-src 'self' data:; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://storage.googleapis.com; style-src 'self' https://fonts.googleapis.com 'unsafe-inline'; img-src 'self' data:; font-src 'self' https://fonts.gstatic.com data:"); | ||
<%_ } else { _%> | ||
response.header(CONTENT_SECURITY_POLICY_HEADER, "default-src 'self'; frame-src 'self' data:; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://storage.googleapis.com; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:"); | ||
<%_ } _%> | ||
} | ||
} |
30 changes: 30 additions & 0 deletions
30
generators/server/templates/src/test/java/package/security/SecurityHeaderFilterTest.java.ejs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
package <%=packageName%>.security; | ||
|
||
import io.micronaut.http.MutableHttpResponse; | ||
import io.micronaut.http.simple.SimpleHttpResponseFactory; | ||
import org.junit.jupiter.api.Test; | ||
|
||
import static org.assertj.core.api.Assertions.*; | ||
|
||
class SecurityHeaderFilterTest { | ||
|
||
private final SecurityHeaderFilter subject = new SecurityHeaderFilter(); | ||
|
||
@Test | ||
public void assertSecurityHeadersAreAdded() { | ||
|
||
MutableHttpResponse<Object> response = new SimpleHttpResponseFactory().ok(); | ||
subject.addSecurityHeaders(response); | ||
|
||
assertThat(response.header("X-Frame-Options")).isEqualTo("DENY"); | ||
assertThat(response.header("X-Content-Type-Options")).isEqualTo("nosniff"); | ||
assertThat(response.header("X-XSS-Protection")).isEqualTo("1; mode=block"); | ||
assertThat(response.header("Referrer-Policy")).isEqualTo("strict-origin-when-cross-origin"); | ||
assertThat(response.header("Feature-Policy")).isEqualTo("geolocation 'none'; midi 'none'; sync-xhr 'none'; microphone 'none'; camera 'none'; magnetometer 'none'; gyroscope 'none'; speaker 'none'; fullscreen 'self'; payment 'none'"); | ||
<%_ if (clientTheme !== 'none') { _%> | ||
assertThat(response.header("Content-Security-Policy")).isEqualTo("default-src 'self'; frame-src 'self' data:; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://storage.googleapis.com; style-src 'self' https://fonts.googleapis.com 'unsafe-inline'; img-src 'self' data:; font-src 'self' https://fonts.gstatic.com data:"); | ||
<%_ } else { _%> | ||
assertThat(response.header("Content-Security-Policy")).isEqualTo("default-src 'self'; frame-src 'self' data:; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://storage.googleapis.com; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:"); | ||
<%_ } _%> | ||
} | ||
} |