CODEWITHSUNDEEP
spring-mvcservlet-filtersinterceptorresponse-headers
Abhishek Singh
Abhishek Singh

Reputation: 1517

Adding Security Headers in response of spring MVC Application

I want to add below headers in the response header in Spring MVC :

X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff

I have written below code in MvcConfig file which extends WebMvcConfigurerAdapter.

 @Bean 
    public Filter securityHeadersFilter() { 
        return new OncePerRequestFilter(){ 
            @Override 
            protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException { 
                filterChain.doFilter(request, response); 

                response.setHeader("X-XSS-Protection", "1; mode=block"); 
                response.setHeader("X-Content-Type-Options", "nosniff"); 
            } 
        };
     }

now, when I hit request, and see the response header on Browser, these two headers doesn't come. I nowhere registered the filter with urlPattern. Is this the problem or I missed some other thing? if urlpattern configuration is the problem then plz tell me how and where to configure it.

Anyway, My ultimate goal is to get above two security headers in Response header.

Upvotes: 1

Views: 7621

Answers (2)

Abhishek Singh
Abhishek Singh

Reputation: 1517

It's quite simple to add new security header in you response in spring framework, I am listing here all the most commonly used security headers:-
Code is:
1) first write a customize new filter 

package com.mypackage;
    import java.io.IOException;

    import javax.servlet.FilterChain;
    import javax.servlet.ServletException;
    import javax.servlet.http.HttpServletRequest;
    import javax.servlet.http.HttpServletResponse;

    import org.slf4j.Logger;
    import org.slf4j.LoggerFactory;
    import org.springframework.web.filter.OncePerRequestFilter;

        public class AddHeaderFilter extends OncePerRequestFilter {

            private static final Logger LOG = LoggerFactory.getLogger(AddHeaderFilter.class);
            @Override
            protected void doFilterInternal(HttpServletRequest request,
                                            HttpServletResponse response, FilterChain filterChain)throws ServletException, IOException {

                    response.setHeader("X-XSS-Protection", "1; mode=block");
                    response.setHeader("Strict-Transport-Security", "max-age=31536000; includeSubDomains"); 
                    response.setHeader("X-Content-Type-Options", "nosniff"); 
                    response.setHeader("Cache-control", "no-store, no-cache"); 
                    response.setHeader("X-Frame-Options", "DENY"); 
                    response.setHeader("Set-Cookie", "XSRF-TOKEN=NDKDdfdsfkldsfNd3SZAJfwLsTl5WUgOkE; Path=/; Secure;HttpOnly");
                    filterChain.doFilter(request, response);

                    LOG.info("Exit: AddHeaderFilter");


            }

        }


2) Now configure this filter to your web.xml file.

<filter>
      <filter-name>addHeaderFilter</filter-name>
      <filter-class>com.mypackage.AddHeaderFilter</filter-class>
    </filter>

    <filter-mapping>
      <filter-name>addHeaderFilter</filter-name>
      <url-pattern>/api/*</url-pattern>
    </filter-mapping>


That's all. Now hit your API and watch the response back. you will get these headers in your response. :)

Upvotes: 6

Slava Semushin
Slava Semushin

Reputation: 15194

Spring Security, starting from 3.2 version, add these headers for your.

More info about its configuration:

Of course, it works only if you are using Spring Security in the project :)

Upvotes: 1

Related Questions