Uploaded image for project: 'SET - Setups'
  1. SET - Setups
  2. SET-202

Jetty is configured with security-related HTTP response headers

    XMLWordPrintable

    Details

    • Type: Feature
    • Status: Released (View Workflow)
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 1.12.15, 1.13.8
    • Labels:
      None

      Description

      Current Situation

      • The JOC Cockpit makes use of HTTP response headers only that are functionally required.
      • In addition, a number of security related headers
        • should be provided by default.
        • should be adjustable by users.

      Desired Behavior

      The following response headers are added in ./jetty/etc/jetty-rewrite.xml

      • X-Frame-Options: sameorigin
      • X-Content-Type-Options: nosniff
      • X-XSS-Protection: 1; mode=block
      • Content-Security-Policy: default-src 'self'
      • Permissions-Policy: accelerometer=(none), ambient-light-sensor=(none), animations=(none), autoplay=(none), camera=(none), cookie=(none), document-stream-insertion=(none), domain=(none), encrypted-media=(none), fullscreen=(none), geolocation=(none), gyroscope=(none); image-compression=(none), legacy-image-formats=(none), magnetometer=(none), max-downscaling-image=(none), microphone=(none), midi=(none), payment=(none), picture-in-picture=(none), speaker=(none), sync-script=(none), sync-xhr=(none), unsized-media=(none), usb=(none), vertical-scroll=(none), vr=(none)
      • Referrer-Policy: strict-origin-when-cross-origin
      • Strict-Transport-Security: max-age=31536000; includeSubDomains

       

      Snippet of jetty-rewrite.xml
            <Call name="addRule">
              <Arg>
                <New class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
                  <Set name="pattern">*</Set>
                  <Set name="name">X-Frame-Options</Set>
                  <Set name="value">sameorigin</Set>
                </New>
              </Arg>
            </Call>
            <Call name="addRule">
              <Arg>
                <New class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
                  <Set name="pattern">*</Set>
                  <Set name="name">X-Content-Type-Options</Set>
                  <Set name="value">nosniff</Set>
                </New>
              </Arg>
            </Call>
            <Call name="addRule">
              <Arg>
                <New class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
                  <Set name="pattern">*</Set>
                  <Set name="name">X-XSS-Protection</Set>
                  <Set name="value">1; mode=block</Set>
                </New>
              </Arg>
            </Call>
            <Call name="addRule">
              <Arg>
                <New class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
                  <Set name="pattern">*</Set>
                  <Set name="name">Content-Security-Policy</Set>
                  <Set name="value">script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'</Set>
                </New>
              </Arg>
            </Call>
            <Call name="addRule">
              <Arg>
               <New class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
                 <Set name="pattern">*</Set>
                 <Set name="name">Permissions-Policy</Set>
                 <Set name="value">accelerometer=(none), ambient-light-sensor=(none), animations=(none), autoplay=(none), camera=(none), cookie=(none), document-stream-insertion=(none), domain=(none), encrypted-media=(none), fullscreen=(none), geolocation=(none), gyroscope=(none); image-compression=(none), legacy-image-formats=(none), magnetometer=(none), max-downscaling-image=(none), microphone=(none), midi=(none), payment=(none), picture-in-picture=(none), speaker=(none), sync-script=(none), sync-xhr=(none), unsized-media=(none), usb=(none), vertical-scroll=(none), vr=(none)</Set>
               </New>
              </Arg>
            </Call>
            <Call name="addRule">
              <Arg>
                <New class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
                  <Set name="pattern">*</Set>
                  <Set name="name">Referrer-Policy</Set>
                  <Set name="value">strict-origin-when-cross-origin</Set>
                </New>
              </Arg>
            </Call>
            <Call name="addRule">
              <Arg>
                <New class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
                  <Set name="pattern">*</Set>
                  <Set name="name">Strict-Transport-Security</Set>
                  <Set name="value">max-age=31536000; includeSubDomains</Set>
                </New>
              </Arg>
            </Call>
      

      Find a full sample from the attached file jetty-rewrite.xml

      In addition the file ./jetty/start.ini should be added the following setting:

      Snippet of start.ini
      # --------------------------------------- 
      # Module: rewrite
      # Allow HTTP headers to be added from {Jetty-Home}/etc/jetty-rewrite.xml
      # --------------------------------------- 
      
      --module=rewrite
      

      This module will be also added (since release 1.12.3) by calling the script

      > ./install/install_jetty_base.(sh|cmd) rewrite
      

      which executes

      java -jar "${JOC_JETTY_HOME}\start.jar" -Djetty.home="${JOC_JETTY_HOME}" -Djetty.base="${JOC_JETTY_BASE}" --add-to-start=rewrite
      

      Maintainer Notes

      • To limit response headers for use with client browsers and to exclude them from use with REST clients apply the following pattern to ./jetty/etc/jetty-rewrite.xml:
        <Set name="pattern">^((?!/joc/api/).)*$</Set>
      • The limitation of response headers to be provided for client browsers only becomes available with release 1.13.9

        Attachments

        1. jetty-rewrite.xml
          5 kB
          Andreas Püschel

          Issue Links

            Activity

              People

              • Assignee:
                oh Oliver Haufe
                Reporter:
                oh Oliver Haufe
                Approver:
                Kanika Agrawal
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: