Protecting Java EE Web Apps with Secure HTTP Headers

A. XSS

  1. HttpOnlyFlag
    • Ensures that the Cookie cannot be accessed via client side scripts - Set by default for the JSESSIONID in Tomcat 7
    • Configure in web.xml as of Servlet 3.0
      <session-config>
        <cookie-config>
          <http-only>true</http-only>
        </cookie-config>
      </session-config>
      
    • Programmatically
      String cookie = "mycookie=test; Secure; HttpOnly";
      response.addHeader("Set-Cookie", cookie);
      
  2. X-XSS - Protection
    • Blocks common reflected XSS
    • X-XSS - Protection : 1 - Browser modifies the response to block XSS
      response.addHeader("X-XSS-Protection", "1");
      
    • X-XSS - Protection : 0 - Disables the XSS filter
      response.addHeader("X-XSS-Protection", "0");
      
    • X-XSS - Protection : 1; mode=block - Prevents rendering of the page entirely
      response.addHeader("X-XSS-Protection", "1; mode=block");
      

B. Session Hijacking: Protect by Using Secure Flag

  • Ensures that the Cookie is only sent via SSL
  • Configure in web.xml as of Servlet 3.0
    <session-config>
      <cookie-config>
        <secure>true</secure>
      </cookie-config>
    </session-config>
    
  • Programmatically
    Cookie cookie = new Cookie("mycookie", "test");
    cookie.setSecure(true);
    

C. Clickjaking

  • Use X-Frame-Options - HTTP Response Header supported by all recent browsers
  • Three options
    • DENY - Prevents any site from framing the page
      response.addHeader("X-Frame-Options", "DENY");
      
    • SAME ORIGIN - Allows framing only from the same origin
      response.addHeader("X-Frame-Options", "SAMEORIGIN");
      
    • ALLOW-FROM origin - Allows framing only from the specified origin
      String value = "ALLOW-FROM http://www.trustedsite.com:8080";
      response.addHeader("X-Frame-Options", value);
      

Comments

Popular posts from this blog

Reduce TIME_WAIT Socket Connections