001/* 002 * Licensed to the Apache Software Foundation (ASF) under one 003 * or more contributor license agreements. See the NOTICE file 004 * distributed with this work for additional information 005 * regarding copyright ownership. The ASF licenses this file 006 * to you under the Apache License, Version 2.0 (the 007 * "License"); you may not use this file except in compliance 008 * with the License. You may obtain a copy of the License at 009 * 010 * http://www.apache.org/licenses/LICENSE-2.0 011 * 012 * Unless required by applicable law or agreed to in writing, software 013 * distributed under the License is distributed on an "AS IS" BASIS, 014 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 015 * See the License for the specific language governing permissions and 016 * limitations under the License. 017 */ 018package org.apache.hadoop.hbase.http; 019 020import java.io.IOException; 021import java.util.HashMap; 022import java.util.Map; 023import javax.servlet.Filter; 024import javax.servlet.FilterChain; 025import javax.servlet.FilterConfig; 026import javax.servlet.ServletException; 027import javax.servlet.ServletRequest; 028import javax.servlet.ServletResponse; 029import javax.servlet.http.HttpServletResponse; 030import org.apache.commons.lang3.StringUtils; 031import org.apache.hadoop.conf.Configuration; 032import org.apache.hadoop.hbase.HBaseInterfaceAudience; 033import org.apache.yetus.audience.InterfaceAudience; 034import org.slf4j.Logger; 035import org.slf4j.LoggerFactory; 036 037@InterfaceAudience.LimitedPrivate(HBaseInterfaceAudience.CONFIG) 038public class SecurityHeadersFilter implements Filter { 039 040 private static final Logger LOG = LoggerFactory.getLogger(SecurityHeadersFilter.class); 041 private static final String DEFAULT_HSTS = "max-age=63072000;includeSubDomains;preload"; 042 private static final String DEFAULT_CSP = 043 "default-src https: data: 'unsafe-inline' 'unsafe-eval'"; 044 private FilterConfig filterConfig; 045 046 @Override 047 public void init(FilterConfig filterConfig) throws ServletException { 048 this.filterConfig = filterConfig; 049 LOG.info("Added security headers filter"); 050 } 051 052 @Override 053 public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) 054 throws IOException, ServletException { 055 HttpServletResponse httpResponse = (HttpServletResponse) response; 056 httpResponse.addHeader("X-Content-Type-Options", "nosniff"); 057 httpResponse.addHeader("X-XSS-Protection", "1; mode=block"); 058 String hsts = filterConfig.getInitParameter("hsts"); 059 if (StringUtils.isNotBlank(hsts)) { 060 httpResponse.addHeader("Strict-Transport-Security", hsts); 061 } 062 String csp = filterConfig.getInitParameter("csp"); 063 if (StringUtils.isNotBlank(csp)) { 064 httpResponse.addHeader("Content-Security-Policy", csp); 065 } 066 chain.doFilter(request, response); 067 } 068 069 @Override 070 public void destroy() { 071 } 072 073 public static Map<String, String> getDefaultParameters(Configuration conf, boolean isSecure) { 074 Map<String, String> params = new HashMap<>(); 075 params.put("hsts", conf.get("hbase.http.filter.hsts.value", isSecure ? DEFAULT_HSTS : "")); 076 params.put("csp", conf.get("hbase.http.filter.csp.value", isSecure ? DEFAULT_CSP : "")); 077 return params; 078 } 079}