001/*
002 * Licensed to the Apache Software Foundation (ASF) under one
003 * or more contributor license agreements.  See the NOTICE file
004 * distributed with this work for additional information
005 * regarding copyright ownership.  The ASF licenses this file
006 * to you under the Apache License, Version 2.0 (the
007 * "License"); you may not use this file except in compliance
008 * with the License.  You may obtain a copy of the License at
009 *
010 *     http://www.apache.org/licenses/LICENSE-2.0
011 *
012 * Unless required by applicable law or agreed to in writing, software
013 * distributed under the License is distributed on an "AS IS" BASIS,
014 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
015 * See the License for the specific language governing permissions and
016 * limitations under the License.
017 */
018package org.apache.hadoop.hbase.http;
019
020import java.io.IOException;
021import java.util.HashMap;
022import java.util.Map;
023import javax.servlet.Filter;
024import javax.servlet.FilterChain;
025import javax.servlet.FilterConfig;
026import javax.servlet.ServletException;
027import javax.servlet.ServletRequest;
028import javax.servlet.ServletResponse;
029import javax.servlet.http.HttpServletResponse;
030import org.apache.commons.lang3.StringUtils;
031import org.apache.hadoop.conf.Configuration;
032import org.apache.hadoop.hbase.HBaseInterfaceAudience;
033import org.apache.yetus.audience.InterfaceAudience;
034import org.slf4j.Logger;
035import org.slf4j.LoggerFactory;
036
037@InterfaceAudience.LimitedPrivate(HBaseInterfaceAudience.CONFIG)
038public class SecurityHeadersFilter implements Filter {
039  private static final Logger LOG = LoggerFactory.getLogger(SecurityHeadersFilter.class);
040  private static final String DEFAULT_HSTS = "max-age=63072000;includeSubDomains;preload";
041  private static final String DEFAULT_CSP =
042    "default-src https: data: 'unsafe-inline' 'unsafe-eval'";
043  private FilterConfig filterConfig;
044
045  @Override
046  public void init(FilterConfig filterConfig) throws ServletException {
047    this.filterConfig = filterConfig;
048    LOG.info("Added security headers filter");
049  }
050
051  @Override
052  public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
053    throws IOException, ServletException {
054    HttpServletResponse httpResponse = (HttpServletResponse) response;
055    httpResponse.addHeader("X-Content-Type-Options", "nosniff");
056    httpResponse.addHeader("X-XSS-Protection", "1; mode=block");
057    String hsts = filterConfig.getInitParameter("hsts");
058    if (StringUtils.isNotBlank(hsts)) {
059      httpResponse.addHeader("Strict-Transport-Security", hsts);
060    }
061    String csp = filterConfig.getInitParameter("csp");
062    if (StringUtils.isNotBlank(csp)) {
063      httpResponse.addHeader("Content-Security-Policy", csp);
064    }
065    chain.doFilter(request, response);
066  }
067
068  @Override
069  public void destroy() {
070  }
071
072  public static Map<String, String> getDefaultParameters(Configuration conf, boolean isSecure) {
073    Map<String, String> params = new HashMap<>();
074    params.put("hsts", conf.get("hbase.http.filter.hsts.value", isSecure ? DEFAULT_HSTS : ""));
075    params.put("csp", conf.get("hbase.http.filter.csp.value", isSecure ? DEFAULT_CSP : ""));
076    return params;
077  }
078}