Protecting Java EE Web Apps with Secure HTTP Headers


  1. HttpOnlyFlag
    • Ensures that the Cookie cannot be accessed via client side scripts - Set by default for the JSESSIONID in Tomcat 7
    • Configure in web.xml as of Servlet 3.0
    • Programmatically
      String cookie = "mycookie=test; Secure; HttpOnly";
      response.addHeader("Set-Cookie", cookie);
  2. X-XSS - Protection
    • Blocks common reflected XSS
    • X-XSS - Protection : 1 - Browser modifies the response to block XSS
      response.addHeader("X-XSS-Protection", "1");
    • X-XSS - Protection : 0 - Disables the XSS filter
      response.addHeader("X-XSS-Protection", "0");
    • X-XSS - Protection : 1; mode=block - Prevents rendering of the page entirely
      response.addHeader("X-XSS-Protection", "1; mode=block");

B. Session Hijacking: Protect by Using Secure Flag

  • Ensures that the Cookie is only sent via SSL
  • Configure in web.xml as of Servlet 3.0
  • Programmatically
    Cookie cookie = new Cookie("mycookie", "test");

C. Clickjaking

  • Use X-Frame-Options - HTTP Response Header supported by all recent browsers
  • Three options
    • DENY - Prevents any site from framing the page
      response.addHeader("X-Frame-Options", "DENY");
    • SAME ORIGIN - Allows framing only from the same origin
      response.addHeader("X-Frame-Options", "SAMEORIGIN");
    • ALLOW-FROM origin - Allows framing only from the specified origin
      String value = "ALLOW-FROM";
      response.addHeader("X-Frame-Options", value);


Popular posts from this blog

Reduce TIME_WAIT Socket Connections