Uploaded image for project: 'SET - Setups'
  1. SET - Setups
  2. SET-202

Jetty is configured with security-related HTTP response headers

    XMLWordPrintable

Details

    • Feature
    • Status: Released (View Workflow)
    • Minor
    • Resolution: Fixed
    • None
    • 1.12.15, 1.13.8
    • None

    Description

      Current Situation

      • The JOC Cockpit makes use of HTTP response headers only that are functionally required.
      • In addition, a number of security related headers
        • should be provided by default.
        • should be adjustable by users.

      Desired Behavior

      The following response headers are added in ./jetty/etc/jetty-rewrite.xml

      • X-Frame-Options: sameorigin
      • X-Content-Type-Options: nosniff
      • X-XSS-Protection: 1; mode=block
      • Content-Security-Policy: default-src 'self'
      • Permissions-Policy: accelerometer=(none), ambient-light-sensor=(none), animations=(none), autoplay=(none), camera=(none), cookie=(none), document-stream-insertion=(none), domain=(none), encrypted-media=(none), fullscreen=(none), geolocation=(none), gyroscope=(none); image-compression=(none), legacy-image-formats=(none), magnetometer=(none), max-downscaling-image=(none), microphone=(none), midi=(none), payment=(none), picture-in-picture=(none), speaker=(none), sync-script=(none), sync-xhr=(none), unsized-media=(none), usb=(none), vertical-scroll=(none), vr=(none)
      • Referrer-Policy: strict-origin-when-cross-origin
      • Strict-Transport-Security: max-age=31536000; includeSubDomains

       

      Snippet of jetty-rewrite.xml
            <Call name="addRule">
              <Arg>
                <New class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
                  <Set name="pattern">*</Set>
                  <Set name="name">X-Frame-Options</Set>
                  <Set name="value">sameorigin</Set>
                </New>
              </Arg>
            </Call>
            <Call name="addRule">
              <Arg>
                <New class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
                  <Set name="pattern">*</Set>
                  <Set name="name">X-Content-Type-Options</Set>
                  <Set name="value">nosniff</Set>
                </New>
              </Arg>
            </Call>
            <Call name="addRule">
              <Arg>
                <New class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
                  <Set name="pattern">*</Set>
                  <Set name="name">X-XSS-Protection</Set>
                  <Set name="value">1; mode=block</Set>
                </New>
              </Arg>
            </Call>
            <Call name="addRule">
              <Arg>
                <New class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
                  <Set name="pattern">*</Set>
                  <Set name="name">Content-Security-Policy</Set>
                  <Set name="value">script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'</Set>
                </New>
              </Arg>
            </Call>
            <Call name="addRule">
              <Arg>
               <New class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
                 <Set name="pattern">*</Set>
                 <Set name="name">Permissions-Policy</Set>
                 <Set name="value">accelerometer=(none), ambient-light-sensor=(none), animations=(none), autoplay=(none), camera=(none), cookie=(none), document-stream-insertion=(none), domain=(none), encrypted-media=(none), fullscreen=(none), geolocation=(none), gyroscope=(none); image-compression=(none), legacy-image-formats=(none), magnetometer=(none), max-downscaling-image=(none), microphone=(none), midi=(none), payment=(none), picture-in-picture=(none), speaker=(none), sync-script=(none), sync-xhr=(none), unsized-media=(none), usb=(none), vertical-scroll=(none), vr=(none)</Set>
               </New>
              </Arg>
            </Call>
            <Call name="addRule">
              <Arg>
                <New class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
                  <Set name="pattern">*</Set>
                  <Set name="name">Referrer-Policy</Set>
                  <Set name="value">strict-origin-when-cross-origin</Set>
                </New>
              </Arg>
            </Call>
            <Call name="addRule">
              <Arg>
                <New class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
                  <Set name="pattern">*</Set>
                  <Set name="name">Strict-Transport-Security</Set>
                  <Set name="value">max-age=31536000; includeSubDomains</Set>
                </New>
              </Arg>
            </Call>
      

      Find a full sample from the attached file jetty-rewrite.xml

      In addition the file ./jetty/start.ini should be added the following setting:

      Snippet of start.ini
      # --------------------------------------- 
      # Module: rewrite
      # Allow HTTP headers to be added from {Jetty-Home}/etc/jetty-rewrite.xml
      # --------------------------------------- 
      
      --module=rewrite
      

      This module will be also added (since release 1.12.3) by calling the script

      > ./install/install_jetty_base.(sh|cmd) rewrite
      

      which executes

      java -jar "${JOC_JETTY_HOME}\start.jar" -Djetty.home="${JOC_JETTY_HOME}" -Djetty.base="${JOC_JETTY_BASE}" --add-to-start=rewrite
      

      Maintainer Notes

      • To limit response headers for use with client browsers and to exclude them from use with REST clients apply the following pattern to ./jetty/etc/jetty-rewrite.xml:
        <Set name="pattern">^((?!/joc/api/).)*$</Set>
      • The limitation of response headers to be provided for client browsers only becomes available with release 1.13.9

      Attachments

        Issue Links

          Activity

            People

              oh Oliver Haufe
              oh Oliver Haufe
              Kanika Agrawal Kanika Agrawal
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: