001/* 002 * Licensed to the Apache Software Foundation (ASF) under one 003 * or more contributor license agreements. See the NOTICE file 004 * distributed with this work for additional information 005 * regarding copyright ownership. The ASF licenses this file 006 * to you under the Apache License, Version 2.0 (the 007 * "License"); you may not use this file except in compliance 008 * with the License. You may obtain a copy of the License at 009 * 010 * http://www.apache.org/licenses/LICENSE-2.0 011 * 012 * Unless required by applicable law or agreed to in writing, software 013 * distributed under the License is distributed on an "AS IS" BASIS, 014 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 015 * See the License for the specific language governing permissions and 016 * limitations under the License. 017 */ 018package org.apache.hadoop.hbase.http; 019 020import java.io.IOException; 021import java.util.HashMap; 022import java.util.Map; 023import javax.servlet.Filter; 024import javax.servlet.FilterChain; 025import javax.servlet.FilterConfig; 026import javax.servlet.ServletException; 027import javax.servlet.ServletRequest; 028import javax.servlet.ServletResponse; 029import javax.servlet.http.HttpServletResponse; 030import org.apache.commons.lang3.StringUtils; 031import org.apache.hadoop.conf.Configuration; 032import org.apache.hadoop.hbase.HBaseInterfaceAudience; 033import org.apache.yetus.audience.InterfaceAudience; 034import org.slf4j.Logger; 035import org.slf4j.LoggerFactory; 036 037@InterfaceAudience.LimitedPrivate(HBaseInterfaceAudience.CONFIG) 038public class SecurityHeadersFilter implements Filter { 039 private static final Logger LOG = LoggerFactory.getLogger(SecurityHeadersFilter.class); 040 private static final String DEFAULT_HSTS = "max-age=63072000;includeSubDomains;preload"; 041 private static final String DEFAULT_CSP = 042 "default-src https: data: 'unsafe-inline' 'unsafe-eval'"; 043 private FilterConfig filterConfig; 044 045 @Override 046 public void init(FilterConfig filterConfig) throws ServletException { 047 this.filterConfig = filterConfig; 048 LOG.info("Added security headers filter"); 049 } 050 051 @Override 052 public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) 053 throws IOException, ServletException { 054 HttpServletResponse httpResponse = (HttpServletResponse) response; 055 httpResponse.addHeader("X-Content-Type-Options", "nosniff"); 056 httpResponse.addHeader("X-XSS-Protection", "1; mode=block"); 057 String hsts = filterConfig.getInitParameter("hsts"); 058 if (StringUtils.isNotBlank(hsts)) { 059 httpResponse.addHeader("Strict-Transport-Security", hsts); 060 } 061 String csp = filterConfig.getInitParameter("csp"); 062 if (StringUtils.isNotBlank(csp)) { 063 httpResponse.addHeader("Content-Security-Policy", csp); 064 } 065 chain.doFilter(request, response); 066 } 067 068 @Override 069 public void destroy() { 070 } 071 072 public static Map<String, String> getDefaultParameters(Configuration conf, boolean isSecure) { 073 Map<String, String> params = new HashMap<>(); 074 params.put("hsts", conf.get("hbase.http.filter.hsts.value", isSecure ? DEFAULT_HSTS : "")); 075 params.put("csp", conf.get("hbase.http.filter.csp.value", isSecure ? DEFAULT_CSP : "")); 076 return params; 077 } 078}