Details
-
Feature
-
Status: Released (View Workflow)
-
Minor
-
Resolution: Fixed
-
None
-
None
Description
Current Situation
- The JOC Cockpit makes use of HTTP response headers only that are functionally required.
- In addition, a number of security related headers
- should be provided by default.
- should be adjustable by users.
Desired Behavior
The following response headers are added in ./jetty/etc/jetty-rewrite.xml
- X-Frame-Options: sameorigin
- X-Content-Type-Options: nosniff
- X-XSS-Protection: 1; mode=block
- Content-Security-Policy: default-src 'self'
- Permissions-Policy: accelerometer=(none), ambient-light-sensor=(none), animations=(none), autoplay=(none), camera=(none), cookie=(none), document-stream-insertion=(none), domain=(none), encrypted-media=(none), fullscreen=(none), geolocation=(none), gyroscope=(none); image-compression=(none), legacy-image-formats=(none), magnetometer=(none), max-downscaling-image=(none), microphone=(none), midi=(none), payment=(none), picture-in-picture=(none), speaker=(none), sync-script=(none), sync-xhr=(none), unsized-media=(none), usb=(none), vertical-scroll=(none), vr=(none)
- Referrer-Policy: strict-origin-when-cross-origin
- Strict-Transport-Security: max-age=31536000; includeSubDomains
Snippet of jetty-rewrite.xml
<Call name="addRule">
<Arg>
<New class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
<Set name="pattern">*</Set>
<Set name="name">X-Frame-Options</Set>
<Set name="value">sameorigin</Set>
</New>
</Arg>
</Call>
<Call name="addRule">
<Arg>
<New class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
<Set name="pattern">*</Set>
<Set name="name">X-Content-Type-Options</Set>
<Set name="value">nosniff</Set>
</New>
</Arg>
</Call>
<Call name="addRule">
<Arg>
<New class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
<Set name="pattern">*</Set>
<Set name="name">X-XSS-Protection</Set>
<Set name="value">1; mode=block</Set>
</New>
</Arg>
</Call>
<Call name="addRule">
<Arg>
<New class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
<Set name="pattern">*</Set>
<Set name="name">Content-Security-Policy</Set>
<Set name="value">script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'</Set>
</New>
</Arg>
</Call>
<Call name="addRule">
<Arg>
<New class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
<Set name="pattern">*</Set>
<Set name="name">Permissions-Policy</Set>
<Set name="value">accelerometer=(none), ambient-light-sensor=(none), animations=(none), autoplay=(none), camera=(none), cookie=(none), document-stream-insertion=(none), domain=(none), encrypted-media=(none), fullscreen=(none), geolocation=(none), gyroscope=(none); image-compression=(none), legacy-image-formats=(none), magnetometer=(none), max-downscaling-image=(none), microphone=(none), midi=(none), payment=(none), picture-in-picture=(none), speaker=(none), sync-script=(none), sync-xhr=(none), unsized-media=(none), usb=(none), vertical-scroll=(none), vr=(none)</Set>
</New>
</Arg>
</Call>
<Call name="addRule">
<Arg>
<New class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
<Set name="pattern">*</Set>
<Set name="name">Referrer-Policy</Set>
<Set name="value">strict-origin-when-cross-origin</Set>
</New>
</Arg>
</Call>
<Call name="addRule">
<Arg>
<New class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
<Set name="pattern">*</Set>
<Set name="name">Strict-Transport-Security</Set>
<Set name="value">max-age=31536000; includeSubDomains</Set>
</New>
</Arg>
</Call>
Find a full sample from the attached file jetty-rewrite.xml
In addition the file ./jetty/start.ini should be added the following setting:
Snippet of start.ini
# ---------------------------------------
# Module: rewrite
# Allow HTTP headers to be added from {Jetty-Home}/etc/jetty-rewrite.xml
# ---------------------------------------
--module=rewrite
This module will be also added (since release 1.12.3) by calling the script
> ./install/install_jetty_base.(sh|cmd) rewrite
which executes
java -jar "${JOC_JETTY_HOME}\start.jar" -Djetty.home="${JOC_JETTY_HOME}" -Djetty.base="${JOC_JETTY_BASE}" --add-to-start=rewrite
Maintainer Notes
- To limit response headers for use with client browsers and to exclude them from use with REST clients apply the following pattern to ./jetty/etc/jetty-rewrite.xml:
<Set name="pattern">^((?!/joc/api/).)*$</Set>
- The limitation of response headers to be provided for client browsers only becomes available with release 1.13.9