lmccay opened a new pull request, #1021:
URL: https://github.com/apache/knox/pull/1021
## What changes were proposed in this pull request?
In order to add various security headers to a response, we can add a generic
filter for which init params with the param name and value indicating the
header name and string representing the directives for the header respectively.
This will allow admins to configure things like Content-Security-Policy,
Cache-Control, etc. without the need to add separate filters for each one.
## How was this patch tested?
New unit tests were added.
All new and existing tests were run.
Manual testing was done with the following web app sec provider config and
curl command:
```
<provider>
<role>webappsec</role>
<name>WebAppSec</name>
<enabled>true</enabled>
<param>
<name>csrf.customHeader</name>
<value>X-XSRF-Header</value>
</param>
<param>
<name>csrf.methodsToIgnore</name>
<value>GET,OPTIONS,HEAD</value>
</param>
<param>
<name>xframe.options.enabled</name>
<value>true</value>
</param>
<param>
<name>xss.protection.enabled</name>
<value>true</value>
</param>
<param>
<name>strict.transport.enabled</name>
<value>true</value>
</param>
<param>
<name>xframe.options</name>
<value>SAMEORIGIN</value>
</param>
<param>
<name>security.header.enabled</name>
<value>true</value>
</param>
<param>
<name>security.header.Content-Security-Policy</name>
<value>default-src 'self'</value>
</param>
<param>
<name>security.header.Cache-Control</name>
<value>max-age=604800</value>
</param>
</provider>
```
Note the params with the "security.header." prefix and the headers added to
the resulting output from the curl command below:
```
curl -ivku admin:admin-password -X POST
"https://localhost:8443/gateway/sandbox/clientid/api/v1/oauth/credentials";
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Date: Thu, 10 Apr 2025 12:03:04 GMT
Date: Thu, 10 Apr 2025 12:03:04 GMT
< X-Frame-Options: SAMEORIGIN
X-Frame-Options: SAMEORIGIN
< X-XSS-Protection: 1;mode=block
X-XSS-Protection: 1;mode=block
< Strict-Transport-Security: max-age=31536000
Strict-Transport-Security: max-age=31536000
**< Cache-Control: max-age=604800
Cache-Control: max-age=604800
< Content-Security-Policy: default-src 'self'
Content-Security-Policy: default-src 'self'**
< pattern: clientid/api/**?**
pattern: clientid/api/**?**
< Set-Cookie: KNOXSESSIONID=node0oggzblclwhrm1u6i6xsx4xn33.node0;
Path=/gateway/sandbox; Secure; HttpOnly
Set-Cookie: KNOXSESSIONID=node0oggzblclwhrm1u6i6xsx4xn33.node0;
Path=/gateway/sandbox; Secure; HttpOnly
< Expires: Thu, 01 Jan 1970 00:00:00 GMT
Expires: Thu, 01 Jan 1970 00:00:00 GMT
< Set-Cookie: rememberMe=deleteMe; Path=/gateway/sandbox; Max-Age=0;
Expires=Wed, 09-Apr-2025 12:03:04 GMT; SameSite=lax
Set-Cookie: rememberMe=deleteMe; Path=/gateway/sandbox; Max-Age=0;
Expires=Wed, 09-Apr-2025 12:03:04 GMT; SameSite=lax
< Content-Type: application/json
Content-Type: application/json
< Content-Length: 203
Content-Length: 203
<
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
