Hi,
woops it is now A+ because of this in the web.xml:
<!-- Force SSL for entire site -->
<security-constraint>
<web-resource-collection>
<web-resource-name>Entire Application</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
kind regards
Tobias
-------- Weitergeleitete Nachricht --------
Betreff: Re: Security Check of Mozilla / Wicket implementation
Datum: Sun, 28 Aug 2016 15:52:32 +0200
Von: Tobias Soloschenko <tobias.solosche...@gmail.com>
An: dev@wicket.apache.org
Hi,
you are able to implement the security headers in a very easy way. See:
Mozilla tool to check web security: https://observatory.mozilla.org/
Demo wicket application (might be down or change after a while):
https://wicketsecurity-klopfdreh.rhcloud.com/
The test:
https://observatory.mozilla.org/analyze.html?host=wicketsecurity-klopfdreh.rhcloud.com
The implementation within your Wicket Application:
@Override
protected void init()
{
super.init();
getRequestCycleListeners().add(new AbstractRequestCycleListener(){
@Override
public void onEndRequest(RequestCycle cycle)
{
((WebResponse)cycle.getResponse()).setHeader("X-XSS-Protection", "1;
mode=block");
((WebResponse)cycle.getResponse()).setHeader("Strict-Transport-Security",
"max-age=31536000;
includeSubDomains; preload");
((WebResponse)cycle.getResponse()).setHeader("X-Content-Type-Options",
"nosniff");
((WebResponse)cycle.getResponse()).setHeader("X-Frame-Options", "DENY");
((WebResponse)cycle.getResponse()).setHeader("Content-Security-Policy",
"default-src https:"); // Google "for Content-Security-Policy" to allow
more domains
}
});
}
The result: >> A- << (because of redirection settings of tomcat - I was
not able to change them that fast)
To get A just enable a server redirect like mentioned here:
https://wiki.mozilla.org/Security/Guidelines/Web_Security#HTTP_Redirections
kind regards
Tobias
Am 28.08.16 um 10:28 schrieb Carl-Eric Menzel:
I think it would be a good idea to have something like this as an
option in Wicket. Something to turn on with a one-liner for the
application. There are a bunch of these headers that are useful, plus I
recently came across this:
https://dev.to/ben/the-targetblank-vulnerability-by-example
Should we perhaps also add something that adds the rel="noopener"
attribute to links with target="_blank"?
I'm all for making these security things as easy as possible for the
developer.
Carl-Eric
On Sat, 27 Aug 2016 18:08:36 +0200
Martin Grigorov <mgrigo...@apache.org> wrote:
Hi,
We use Spring Security in all our applications.
It adds these response headers for free.
Any other Servlet Filter could do the same but I don't mind adding
facilities in Wicket too.
Btw one of the security experts from OWASP audited our applications
in the last few weeks. Although he've found few problems here and
there he said very nice words for Wicket!
Martin Grigorov
Wicket Training and Consulting
https://twitter.com/mtgrigorov
On Sat, Aug 27, 2016 at 6:01 PM, Tobias Soloschenko <
tobiassolosche...@googlemail.com> wrote:
Hi,
Mozilla just made a tool public which allows to scan websites for
security risks. Maybe we can somehow add a default set of headers
to the page rendering of Wicket / apply other security relevant
implementations. Or we are able to make them at least optional:
https://observatory.mozilla.org
Example header:
https://wiki.mozilla.org/Security/Guidelines/Web_Security#X-XSS-Protection
What so you think about that idea?
kind regards
Tobias