1

I want to add below headers in the response header in Spring MVC :

X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff

I have written below code in MvcConfig file which extends WebMvcConfigurerAdapter.

 @Bean 
    public Filter securityHeadersFilter() { 
        return new OncePerRequestFilter(){ 
            @Override 
            protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException { 
                filterChain.doFilter(request, response); 

                response.setHeader("X-XSS-Protection", "1; mode=block"); 
                response.setHeader("X-Content-Type-Options", "nosniff"); 
            } 
        };
     }

now, when I hit request, and see the response header on Browser, these two headers doesn't come. I nowhere registered the filter with urlPattern. Is this the problem or I missed some other thing? if urlpattern configuration is the problem then plz tell me how and where to configure it.

Anyway, My ultimate goal is to get above two security headers in Response header.

Improve this question

2 Answers 2

Reset to default
6

It's quite simple to add new security header in you response in spring framework, I am listing here all the most commonly used security headers:-
Code is:
1) first write a customize new filter 

package com.mypackage;
    import java.io.IOException;

    import javax.servlet.FilterChain;
    import javax.servlet.ServletException;
    import javax.servlet.http.HttpServletRequest;
    import javax.servlet.http.HttpServletResponse;

    import org.slf4j.Logger;
    import org.slf4j.LoggerFactory;
    import org.springframework.web.filter.OncePerRequestFilter;

        public class AddHeaderFilter extends OncePerRequestFilter {

            private static final Logger LOG = LoggerFactory.getLogger(AddHeaderFilter.class);
            @Override
            protected void doFilterInternal(HttpServletRequest request,
                                            HttpServletResponse response, FilterChain filterChain)throws ServletException, IOException {

                    response.setHeader("X-XSS-Protection", "1; mode=block");
                    response.setHeader("Strict-Transport-Security", "max-age=31536000; includeSubDomains"); 
                    response.setHeader("X-Content-Type-Options", "nosniff"); 
                    response.setHeader("Cache-control", "no-store, no-cache"); 
                    response.setHeader("X-Frame-Options", "DENY"); 
                    response.setHeader("Set-Cookie", "XSRF-TOKEN=NDKDdfdsfkldsfNd3SZAJfwLsTl5WUgOkE; Path=/; Secure;HttpOnly");
                    filterChain.doFilter(request, response);

                    LOG.info("Exit: AddHeaderFilter");


            }

        }


2) Now configure this filter to your web.xml file.

<filter>
      <filter-name>addHeaderFilter</filter-name>
      <filter-class>com.mypackage.AddHeaderFilter</filter-class>
    </filter>

    <filter-mapping>
      <filter-name>addHeaderFilter</filter-name>
      <url-pattern>/api/*</url-pattern>
    </filter-mapping>


That's all. Now hit your API and watch the response back. you will get these headers in your response. :)

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

Spring Security, starting from 3.2 version, add these headers for your.

More info about its configuration:

Of course, it works only if you are using Spring Security in the project :)

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.