Re: Add HTTP security Headers in the response

2018-10-03 Thread Ajay Arora 
Thank you the quick response and solution.

is this way of putting the headers gives us any advantages over having
filter in front of Tapestry filter like may be better performance ?
I believe the built-in Tapestry filters would be called before any custom
filter(s) and one of those filter like 'StaticFilesFilter' might skip some
requests going further to the new custom filter? And, I still needs to
parse the resource type in custom filter before setting a particular header
like x-frame-options does not make sense a image?

Thanks for your help !


On Wed, Oct 3, 2018 at 12:11 PM Ben Weidig  wrote:

> Hi,
>
> you could use a org.apache.tapestry5.services.RequestFilter.class to access
> the response (
>
> http://tapestry.apache.org/current/apidocs//org/apache/tapestry5/services/RequestFilter.html
> )
>
> Something like this (untested code):
>
> public class MySecurityHeadersRequestFilter implements RequestFilter {
>
> @Override
> public boolean service(Request request, Response response,
> RequestHandler handler) throws IOException {
> response.addHeader("X-Frame-Options", "my options");
> return handler.service(request, response);
> }
> }
>
> Then just contribute it in a module:
>
> public static void
> contributeRequestHandler(OrderedConfiguration conf) {
> conf.addInstance("my-security-headers",
> MySecurityHeadersRequestFilter.class);
> }
>
> On Wed, Oct 3, 2018 at 5:59 PM Ajay Arora  wrote:
>
> > Hello All,
> >
> > We're looking for ways to add different http security headers
> > like X-Frame-Options, X-XSS-Protection and others into the http response.
> > We're using Tapestry 5.4.3.
> >
> > One way I found was to add a additional filter in web.xml before the
> > Tapestry Filter takes over but then it add the headers to all the
> requests
> > like for static files and not sure if  X-Frame-Options header etc should
> be
> > included for the response of such type of requests.
> >
> > Feel like we should wait till Tapestry done handling the request and then
> > add the security headers before the response goes to the client but could
> > not find how to do it In Tapestry.
> >
> > is there a better way to do this in Tapestry?
> >
> > Thanks for your help !
> >
>
>
> Ben
> --
>
> Netzgut GmbH
>

Add HTTP security Headers in the response

2018-10-03 Thread Ajay Arora 
Hello All,

We're looking for ways to add different http security headers
like X-Frame-Options, X-XSS-Protection and others into the http response.
We're using Tapestry 5.4.3.

One way I found was to add a additional filter in web.xml before the
Tapestry Filter takes over but then it add the headers to all the requests
like for static files and not sure if  X-Frame-Options header etc should be
included for the response of such type of requests.

Feel like we should wait till Tapestry done handling the request and then
add the security headers before the response goes to the client but could
not find how to do it In Tapestry.

is there a better way to do this in Tapestry?

Thanks for your help !