001/*
002 * Licensed to the Apache Software Foundation (ASF) under one
003 * or more contributor license agreements.  See the NOTICE file
004 * distributed with this work for additional information
005 * regarding copyright ownership.  The ASF licenses this file
006 * to you under the Apache License, Version 2.0 (the
007 * "License"); you may not use this file except in compliance
008 * with the License.  You may obtain a copy of the License at
009 *
010 *     http://www.apache.org/licenses/LICENSE-2.0
011 *
012 * Unless required by applicable law or agreed to in writing, software
013 * distributed under the License is distributed on an "AS IS" BASIS,
014 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
015 * See the License for the specific language governing permissions and
016 * limitations under the License.
017 */
018package org.apache.hadoop.hbase.http;
019
020import java.io.IOException;
021import java.util.HashMap;
022import java.util.Map;
023import javax.servlet.Filter;
024import javax.servlet.FilterChain;
025import javax.servlet.FilterConfig;
026import javax.servlet.ServletException;
027import javax.servlet.ServletRequest;
028import javax.servlet.ServletResponse;
029import javax.servlet.http.HttpServletResponse;
030import org.apache.commons.lang3.StringUtils;
031import org.apache.hadoop.conf.Configuration;
032import org.apache.hadoop.hbase.HBaseInterfaceAudience;
033import org.apache.yetus.audience.InterfaceAudience;
034import org.slf4j.Logger;
035import org.slf4j.LoggerFactory;
036
037@InterfaceAudience.LimitedPrivate(HBaseInterfaceAudience.CONFIG)
038public class SecurityHeadersFilter implements Filter {
039
040  private static final Logger LOG = LoggerFactory.getLogger(SecurityHeadersFilter.class);
041  private static final String DEFAULT_HSTS = "max-age=63072000;includeSubDomains;preload";
042  private static final String DEFAULT_CSP =
043    "default-src https: data: 'unsafe-inline' 'unsafe-eval'";
044  private FilterConfig filterConfig;
045
046  @Override
047  public void init(FilterConfig filterConfig) throws ServletException {
048    this.filterConfig = filterConfig;
049    LOG.info("Added security headers filter");
050  }
051
052  @Override
053  public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
054    throws IOException, ServletException {
055    HttpServletResponse httpResponse = (HttpServletResponse) response;
056    httpResponse.addHeader("X-Content-Type-Options", "nosniff");
057    httpResponse.addHeader("X-XSS-Protection", "1; mode=block");
058    String hsts = filterConfig.getInitParameter("hsts");
059    if (StringUtils.isNotBlank(hsts)) {
060      httpResponse.addHeader("Strict-Transport-Security", hsts);
061    }
062    String csp = filterConfig.getInitParameter("csp");
063    if (StringUtils.isNotBlank(csp)) {
064      httpResponse.addHeader("Content-Security-Policy", csp);
065    }
066    chain.doFilter(request, response);
067  }
068
069  @Override
070  public void destroy() {
071  }
072
073  public static Map<String, String> getDefaultParameters(Configuration conf, boolean isSecure) {
074    Map<String, String> params = new HashMap<>();
075    params.put("hsts", conf.get("hbase.http.filter.hsts.value", isSecure ? DEFAULT_HSTS : ""));
076    params.put("csp", conf.get("hbase.http.filter.csp.value", isSecure ? DEFAULT_CSP : ""));
077    return params;
078  }
079}