Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Security headers: Simplify setting of headers, possibly via plugin

See original GitHub issue

While working on an application, I left one of my not favourite todo’s unchecked: Taking care of setting secure headers.

There is a OWASP Secure Headers Project that defines a couple of headers that should be set. I remember a common implementation used to be helmet (express based, so a bit outdated), that set a couple of these headers properly.

Would it make sense to have a plugin similar to the CorsPlugin, that allows to set those headers via a builder or do you think everything should be done manually anyway?

Happy to get any opinions and also to collect a list of headers/values if it makes sense to you…

Issue Analytics

State:
Created 2 years ago
Reactions:1
Comments:10 (10 by maintainers)

Top GitHub Comments

1reaction

tipsycommented, May 31, 2021

CSP is already covered, taking a string as an argument.

CSP is quite complex, so I would prefer to have a DSL for it, but I (or someone else) can take care of that part 😃

If we want to support caching headers as well, we probably should rename from secure headers to a more generic concept of pre-configurable headers?

Yeah, I think it’s better to make it a general “header-helper” than just security headers.

1reaction

spinscalecommented, May 18, 2021

I have created a sample plugin at https://github.com/spinscale/javalin-secure-headers

The basic idea is to have a builder for the plugin to create the proper headers (as typesafe as possible):

final SecureHeadersPlugin plugin = SecureHeadersPlugin.builder()
        .xContentTypeOptionsNoSniff();
        .strictTransportSecurity(Duration.ofSeconds(10), true)
        .xFrameOptions("deny")
        .xPermittedCrossDomainPolicies(CrossDomainPolicy.NONE)
        .referrerPolicy(ReferrerPolicy.STRICT_ORIGIN)
        .clearSiteData(ClearSiteData.COOKIES, ClearSiteData.EXECUTION_CONTEXTS, ClearSiteData.STORAGE)
        .crossOriginEmbedderPolicy(CrossOriginEmbedderPolicy.UNSAFE_NONE)
        .crossOriginOpenerPolicy(CrossOriginOpenerPolicy.SAME_ORIGIN_ALLOW_POPUPS)
        .crossOriginResourcePolicy(CrossOriginResourcePolicy.SAME_SITE)
        .build();

final Javalin javalin = Javalin.create(config -> config.registerPlugin(plugin));

The plugin exists only to make sure we’re talking about the right way of implementing, before getting this into the core.

Top Results From Across the Web

HTTP security headers: An easy way to harden your web ...

First up are the three best-known and probably most important HTTP response headers that any modern web application should be setting to ...

How to Add HTTP Security Headers in WordPress (Beginner's ...

You will see which HTTP security headers will be applied for each set of rules. Click on the 'Save Changes in The Additional...

“Missing security headers” on WordPress Site Health page

Hey Really Simple SSL team,. I just installed your new version 4.0.0 and saw the redesigned user interface. One of its most prominent...

HTTP Headers WordPress Plugin for Better Security

On the left, hover over Settings and click HTTP Headers. · Click the Security button. · Beside Strict-Transport-Security, click Edit. · Select the ......

simple-modify-headers – Get this Extension for Firefox (en-US)

The extension rewrite the headers based on a rules table. It's possible to: add , modify or delete header field for HTTP(S) request...