001/** 002 * Licensed to the Apache Software Foundation (ASF) under one 003 * or more contributor license agreements. See the NOTICE file 004 * distributed with this work for additional information 005 * regarding copyright ownership. The ASF licenses this file 006 * to you under the Apache License, Version 2.0 (the 007 * "License"); you may not use this file except in compliance 008 * with the License. You may obtain a copy of the License at 009 * <p> 010 * http://www.apache.org/licenses/LICENSE-2.0 011 * <p> 012 * Unless required by applicable law or agreed to in writing, software 013 * distributed under the License is distributed on an "AS IS" BASIS, 014 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 015 * See the License for the specific language governing permissions and 016 * limitations under the License. 017 */ 018 019package org.apache.hadoop.hbase.http; 020 021import java.io.IOException; 022import java.util.HashMap; 023import java.util.Map; 024import javax.servlet.Filter; 025import javax.servlet.FilterChain; 026import javax.servlet.FilterConfig; 027import javax.servlet.ServletException; 028import javax.servlet.ServletRequest; 029import javax.servlet.ServletResponse; 030import javax.servlet.http.HttpServletResponse; 031import org.apache.commons.lang3.StringUtils; 032import org.apache.hadoop.conf.Configuration; 033import org.apache.hadoop.hbase.HBaseInterfaceAudience; 034import org.apache.yetus.audience.InterfaceAudience; 035import org.slf4j.Logger; 036import org.slf4j.LoggerFactory; 037 038@InterfaceAudience.LimitedPrivate(HBaseInterfaceAudience.CONFIG) 039public class SecurityHeadersFilter implements Filter { 040 private static final Logger LOG = 041 LoggerFactory.getLogger(SecurityHeadersFilter.class); 042 private static final String DEFAULT_HSTS = ""; 043 private static final String DEFAULT_CSP = ""; 044 private FilterConfig filterConfig; 045 046 @Override 047 public void init(FilterConfig filterConfig) throws ServletException { 048 this.filterConfig = filterConfig; 049 LOG.info("Added security headers filter"); 050 } 051 052 @Override 053 public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) 054 throws IOException, ServletException { 055 HttpServletResponse httpResponse = (HttpServletResponse) response; 056 httpResponse.addHeader("X-Content-Type-Options", "nosniff"); 057 httpResponse.addHeader("X-XSS-Protection", "1; mode=block"); 058 String hsts = filterConfig.getInitParameter("hsts"); 059 if (StringUtils.isNotBlank(hsts)) { 060 httpResponse.addHeader("Strict-Transport-Security", hsts); 061 } 062 String csp = filterConfig.getInitParameter("csp"); 063 if (StringUtils.isNotBlank(csp)) { 064 httpResponse.addHeader("Content-Security-Policy", csp); 065 } 066 chain.doFilter(request, response); 067 } 068 069 @Override 070 public void destroy() { 071 } 072 073 public static Map<String, String> getDefaultParameters(Configuration conf) { 074 Map<String, String> params = new HashMap<>(); 075 params.put("hsts", conf.get("hbase.http.filter.hsts.value", 076 DEFAULT_HSTS)); 077 params.put("csp", conf.get("hbase.http.filter.csp.value", 078 DEFAULT_CSP)); 079 return params; 080 } 081}