Source code

001/**
002 * Licensed to the Apache Software Foundation (ASF) under one
003 * or more contributor license agreements.  See the NOTICE file
004 * distributed with this work for additional information
005 * regarding copyright ownership.  The ASF licenses this file
006 * to you under the Apache License, Version 2.0 (the
007 * "License"); you may not use this file except in compliance
008 * with the License.  You may obtain a copy of the License at
009 * <p>
010 * http://www.apache.org/licenses/LICENSE-2.0
011 * <p>
012 * Unless required by applicable law or agreed to in writing, software
013 * distributed under the License is distributed on an "AS IS" BASIS,
014 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
015 * See the License for the specific language governing permissions and
016 * limitations under the License.
017 */
018
019package org.apache.hadoop.hbase.http;
020
021import java.io.IOException;
022import java.util.HashMap;
023import java.util.Map;
024import javax.servlet.Filter;
025import javax.servlet.FilterChain;
026import javax.servlet.FilterConfig;
027import javax.servlet.ServletException;
028import javax.servlet.ServletRequest;
029import javax.servlet.ServletResponse;
030import javax.servlet.http.HttpServletResponse;
031import org.apache.commons.lang3.StringUtils;
032import org.apache.hadoop.conf.Configuration;
033import org.apache.hadoop.hbase.HBaseInterfaceAudience;
034import org.apache.yetus.audience.InterfaceAudience;
035import org.slf4j.Logger;
036import org.slf4j.LoggerFactory;
037
038@InterfaceAudience.LimitedPrivate(HBaseInterfaceAudience.CONFIG)
039public class SecurityHeadersFilter implements Filter {
040  private static final Logger LOG =
041      LoggerFactory.getLogger(SecurityHeadersFilter.class);
042  private static final String DEFAULT_HSTS = "";
043  private static final String DEFAULT_CSP = "";
044  private FilterConfig filterConfig;
045
046  @Override
047  public void init(FilterConfig filterConfig) throws ServletException {
048    this.filterConfig = filterConfig;
049    LOG.info("Added security headers filter");
050  }
051
052  @Override
053  public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
054      throws IOException, ServletException {
055    HttpServletResponse httpResponse = (HttpServletResponse) response;
056    httpResponse.addHeader("X-Content-Type-Options", "nosniff");
057    httpResponse.addHeader("X-XSS-Protection", "1; mode=block");
058    String hsts = filterConfig.getInitParameter("hsts");
059    if (StringUtils.isNotBlank(hsts)) {
060      httpResponse.addHeader("Strict-Transport-Security", hsts);
061    }
062    String csp = filterConfig.getInitParameter("csp");
063    if (StringUtils.isNotBlank(csp)) {
064      httpResponse.addHeader("Content-Security-Policy", csp);
065    }
066    chain.doFilter(request, response);
067  }
068
069  @Override
070  public void destroy() {
071  }
072
073  public static Map<String, String> getDefaultParameters(Configuration conf) {
074    Map<String, String> params = new HashMap<>();
075    params.put("hsts", conf.get("hbase.http.filter.hsts.value",
076        DEFAULT_HSTS));
077    params.put("csp", conf.get("hbase.http.filter.csp.value",
078        DEFAULT_CSP));
079    return params;
080  }
081}