Add HTTP security Headers in the response

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Add HTTP security Headers in the response

Ajay Arora
Hello All,

We're looking for ways to add different http security headers
like X-Frame-Options, X-XSS-Protection and others into the http response.
We're using Tapestry 5.4.3.

One way I found was to add a additional filter in web.xml before the
Tapestry Filter takes over but then it add the headers to all the requests
like for static files and not sure if  X-Frame-Options header etc should be
included for the response of such type of requests.

Feel like we should wait till Tapestry done handling the request and then
add the security headers before the response goes to the client but could
not find how to do it In Tapestry.

is there a better way to do this in Tapestry?

Thanks for your help !
Reply | Threaded
Open this post in threaded view
|

Re: Add HTTP security Headers in the response

Ben Weidig
Hi,

you could use a org.apache.tapestry5.services.RequestFilter.class to access
the response (
http://tapestry.apache.org/current/apidocs//org/apache/tapestry5/services/RequestFilter.html
)

Something like this (untested code):

public class MySecurityHeadersRequestFilter implements RequestFilter {

    @Override
    public boolean service(Request request, Response response,
RequestHandler handler) throws IOException {
        response.addHeader("X-Frame-Options", "my options");
        return handler.service(request, response);
    }
}

Then just contribute it in a module:

public static void
contributeRequestHandler(OrderedConfiguration<RequestFilter> conf) {
    conf.addInstance("my-security-headers",
MySecurityHeadersRequestFilter.class);
}

On Wed, Oct 3, 2018 at 5:59 PM Ajay Arora <[hidden email]> wrote:

> Hello All,
>
> We're looking for ways to add different http security headers
> like X-Frame-Options, X-XSS-Protection and others into the http response.
> We're using Tapestry 5.4.3.
>
> One way I found was to add a additional filter in web.xml before the
> Tapestry Filter takes over but then it add the headers to all the requests
> like for static files and not sure if  X-Frame-Options header etc should be
> included for the response of such type of requests.
>
> Feel like we should wait till Tapestry done handling the request and then
> add the security headers before the response goes to the client but could
> not find how to do it In Tapestry.
>
> is there a better way to do this in Tapestry?
>
> Thanks for your help !
>


Ben
--

Netzgut GmbH
Reply | Threaded
Open this post in threaded view
|

Re: Add HTTP security Headers in the response

Ajay Arora
Thank you the quick response and solution.

is this way of putting the headers gives us any advantages over having
filter in front of Tapestry filter like may be better performance ?
I believe the built-in Tapestry filters would be called before any custom
filter(s) and one of those filter like 'StaticFilesFilter' might skip some
requests going further to the new custom filter? And, I still needs to
parse the resource type in custom filter before setting a particular header
like x-frame-options does not make sense a image?

Thanks for your help !


On Wed, Oct 3, 2018 at 12:11 PM Ben Weidig <[hidden email]> wrote:

> Hi,
>
> you could use a org.apache.tapestry5.services.RequestFilter.class to access
> the response (
>
> http://tapestry.apache.org/current/apidocs//org/apache/tapestry5/services/RequestFilter.html
> )
>
> Something like this (untested code):
>
> public class MySecurityHeadersRequestFilter implements RequestFilter {
>
>     @Override
>     public boolean service(Request request, Response response,
> RequestHandler handler) throws IOException {
>         response.addHeader("X-Frame-Options", "my options");
>         return handler.service(request, response);
>     }
> }
>
> Then just contribute it in a module:
>
> public static void
> contributeRequestHandler(OrderedConfiguration<RequestFilter> conf) {
>     conf.addInstance("my-security-headers",
> MySecurityHeadersRequestFilter.class);
> }
>
> On Wed, Oct 3, 2018 at 5:59 PM Ajay Arora <[hidden email]> wrote:
>
> > Hello All,
> >
> > We're looking for ways to add different http security headers
> > like X-Frame-Options, X-XSS-Protection and others into the http response.
> > We're using Tapestry 5.4.3.
> >
> > One way I found was to add a additional filter in web.xml before the
> > Tapestry Filter takes over but then it add the headers to all the
> requests
> > like for static files and not sure if  X-Frame-Options header etc should
> be
> > included for the response of such type of requests.
> >
> > Feel like we should wait till Tapestry done handling the request and then
> > add the security headers before the response goes to the client but could
> > not find how to do it In Tapestry.
> >
> > is there a better way to do this in Tapestry?
> >
> > Thanks for your help !
> >
>
>
> Ben
> --
>
> Netzgut GmbH
>
Reply | Threaded
Open this post in threaded view
|

Re: Add HTTP security Headers in the response

Ben Weidig
The main advantage is having the full power of Tapestry and your services
available to you. Can't speak for the performance, it might be faster with
a filter before Tapestry, but I don't think it would impact your
performance that much, we have multiple RequestFilters in our apps.

The configuration is an "OrderedConfiguration", so you can influence the
order of the filters:

conf.addInstance("my-security-headers",
MySecurityHeadersRequestFilter.class, "before:StaticFiles");

The name of the contribution is defined here
org.apache.tapestry5.modules.TapestryModule.class:862

You have access to the request and can add only the headers if needed, or
just give the request to the next filter.

Hope this helps!

On Wed, Oct 3, 2018 at 8:00 PM Ajay Arora <[hidden email]> wrote:

> Thank you the quick response and solution.
>
> is this way of putting the headers gives us any advantages over having
> filter in front of Tapestry filter like may be better performance ?
> I believe the built-in Tapestry filters would be called before any custom
> filter(s) and one of those filter like 'StaticFilesFilter' might skip some
> requests going further to the new custom filter? And, I still needs to
> parse the resource type in custom filter before setting a particular header
> like x-frame-options does not make sense a image?
>
> Thanks for your help !
>
>
Ben

--

Netzgut GmbH
Reply | Threaded
Open this post in threaded view
|

Re: Add HTTP security Headers in the response

Thiago H de Paula Figueiredo
In reply to this post by Ajay Arora
On Wed, Oct 3, 2018 at 3:00 PM Ajay Arora <[hidden email]> wrote:

> Thank you the quick response and solution.
>
> is this way of putting the headers gives us any advantages over having
> filter in front of Tapestry filter like may be better performance ?
>

I cannot think how any option would be faster than the other, so I suggest
you do it in a RequestFilter, where you have everything in Tapestry and
Tapestry-IoC at your disposal.


> I believe the built-in Tapestry filters would be called before any custom
> filter(s) and one of those filter like 'StaticFilesFilter' might skip some
> requests going further to the new custom filter? And, I still needs to
> parse the resource type in custom filter before setting a particular header
> like x-frame-options does not make sense a image?
>
> Thanks for your help !
>
>
> On Wed, Oct 3, 2018 at 12:11 PM Ben Weidig <[hidden email]> wrote:
>
> > Hi,
> >
> > you could use a org.apache.tapestry5.services.RequestFilter.class to
> access
> > the response (
> >
> >
> http://tapestry.apache.org/current/apidocs//org/apache/tapestry5/services/RequestFilter.html
> > )
> >
> > Something like this (untested code):
> >
> > public class MySecurityHeadersRequestFilter implements RequestFilter {
> >
> >     @Override
> >     public boolean service(Request request, Response response,
> > RequestHandler handler) throws IOException {
> >         response.addHeader("X-Frame-Options", "my options");
> >         return handler.service(request, response);
> >     }
> > }
> >
> > Then just contribute it in a module:
> >
> > public static void
> > contributeRequestHandler(OrderedConfiguration<RequestFilter> conf) {
> >     conf.addInstance("my-security-headers",
> > MySecurityHeadersRequestFilter.class);
> > }
> >
> > On Wed, Oct 3, 2018 at 5:59 PM Ajay Arora <[hidden email]> wrote:
> >
> > > Hello All,
> > >
> > > We're looking for ways to add different http security headers
> > > like X-Frame-Options, X-XSS-Protection and others into the http
> response.
> > > We're using Tapestry 5.4.3.
> > >
> > > One way I found was to add a additional filter in web.xml before the
> > > Tapestry Filter takes over but then it add the headers to all the
> > requests
> > > like for static files and not sure if  X-Frame-Options header etc
> should
> > be
> > > included for the response of such type of requests.
> > >
> > > Feel like we should wait till Tapestry done handling the request and
> then
> > > add the security headers before the response goes to the client but
> could
> > > not find how to do it In Tapestry.
> > >
> > > is there a better way to do this in Tapestry?
> > >
> > > Thanks for your help !
> > >
> >
> >
> > Ben
> > --
> >
> > Netzgut GmbH
> >
>


--
Thiago