You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tapestry.apache.org by Ajay Arora <to...@gmail.com> on 2018/10/03 15:59:35 UTC
Add HTTP security Headers in the response
Hello All,
We're looking for ways to add different http security headers
like X-Frame-Options, X-XSS-Protection and others into the http response.
We're using Tapestry 5.4.3.
One way I found was to add a additional filter in web.xml before the
Tapestry Filter takes over but then it add the headers to all the requests
like for static files and not sure if X-Frame-Options header etc should be
included for the response of such type of requests.
Feel like we should wait till Tapestry done handling the request and then
add the security headers before the response goes to the client but could
not find how to do it In Tapestry.
is there a better way to do this in Tapestry?
Thanks for your help !
Re: Add HTTP security Headers in the response
Posted by Ben Weidig <be...@netzgut.net>.
The main advantage is having the full power of Tapestry and your services
available to you. Can't speak for the performance, it might be faster with
a filter before Tapestry, but I don't think it would impact your
performance that much, we have multiple RequestFilters in our apps.
The configuration is an "OrderedConfiguration", so you can influence the
order of the filters:
conf.addInstance("my-security-headers",
MySecurityHeadersRequestFilter.class, "before:StaticFiles");
The name of the contribution is defined here
org.apache.tapestry5.modules.TapestryModule.class:862
You have access to the request and can add only the headers if needed, or
just give the request to the next filter.
Hope this helps!
On Wed, Oct 3, 2018 at 8:00 PM Ajay Arora <to...@gmail.com> wrote:
> Thank you the quick response and solution.
>
> is this way of putting the headers gives us any advantages over having
> filter in front of Tapestry filter like may be better performance ?
> I believe the built-in Tapestry filters would be called before any custom
> filter(s) and one of those filter like 'StaticFilesFilter' might skip some
> requests going further to the new custom filter? And, I still needs to
> parse the resource type in custom filter before setting a particular header
> like x-frame-options does not make sense a image?
>
> Thanks for your help !
>
>
Ben
--
Netzgut GmbH
Re: Add HTTP security Headers in the response
Posted by "Thiago H. de Paula Figueiredo" <th...@gmail.com>.
On Wed, Oct 3, 2018 at 3:00 PM Ajay Arora <to...@gmail.com> wrote:
> Thank you the quick response and solution.
>
> is this way of putting the headers gives us any advantages over having
> filter in front of Tapestry filter like may be better performance ?
>
I cannot think how any option would be faster than the other, so I suggest
you do it in a RequestFilter, where you have everything in Tapestry and
Tapestry-IoC at your disposal.
> I believe the built-in Tapestry filters would be called before any custom
> filter(s) and one of those filter like 'StaticFilesFilter' might skip some
> requests going further to the new custom filter? And, I still needs to
> parse the resource type in custom filter before setting a particular header
> like x-frame-options does not make sense a image?
>
> Thanks for your help !
>
>
> On Wed, Oct 3, 2018 at 12:11 PM Ben Weidig <be...@netzgut.net> wrote:
>
> > Hi,
> >
> > you could use a org.apache.tapestry5.services.RequestFilter.class to
> access
> > the response (
> >
> >
> http://tapestry.apache.org/current/apidocs//org/apache/tapestry5/services/RequestFilter.html
> > )
> >
> > Something like this (untested code):
> >
> > public class MySecurityHeadersRequestFilter implements RequestFilter {
> >
> > @Override
> > public boolean service(Request request, Response response,
> > RequestHandler handler) throws IOException {
> > response.addHeader("X-Frame-Options", "my options");
> > return handler.service(request, response);
> > }
> > }
> >
> > Then just contribute it in a module:
> >
> > public static void
> > contributeRequestHandler(OrderedConfiguration<RequestFilter> conf) {
> > conf.addInstance("my-security-headers",
> > MySecurityHeadersRequestFilter.class);
> > }
> >
> > On Wed, Oct 3, 2018 at 5:59 PM Ajay Arora <to...@gmail.com> wrote:
> >
> > > Hello All,
> > >
> > > We're looking for ways to add different http security headers
> > > like X-Frame-Options, X-XSS-Protection and others into the http
> response.
> > > We're using Tapestry 5.4.3.
> > >
> > > One way I found was to add a additional filter in web.xml before the
> > > Tapestry Filter takes over but then it add the headers to all the
> > requests
> > > like for static files and not sure if X-Frame-Options header etc
> should
> > be
> > > included for the response of such type of requests.
> > >
> > > Feel like we should wait till Tapestry done handling the request and
> then
> > > add the security headers before the response goes to the client but
> could
> > > not find how to do it In Tapestry.
> > >
> > > is there a better way to do this in Tapestry?
> > >
> > > Thanks for your help !
> > >
> >
> >
> > Ben
> > --
> >
> > Netzgut GmbH
> >
>
--
Thiago
Re: Add HTTP security Headers in the response
Posted by Ajay Arora <to...@gmail.com>.
Thank you the quick response and solution.
is this way of putting the headers gives us any advantages over having
filter in front of Tapestry filter like may be better performance ?
I believe the built-in Tapestry filters would be called before any custom
filter(s) and one of those filter like 'StaticFilesFilter' might skip some
requests going further to the new custom filter? And, I still needs to
parse the resource type in custom filter before setting a particular header
like x-frame-options does not make sense a image?
Thanks for your help !
On Wed, Oct 3, 2018 at 12:11 PM Ben Weidig <be...@netzgut.net> wrote:
> Hi,
>
> you could use a org.apache.tapestry5.services.RequestFilter.class to access
> the response (
>
> http://tapestry.apache.org/current/apidocs//org/apache/tapestry5/services/RequestFilter.html
> )
>
> Something like this (untested code):
>
> public class MySecurityHeadersRequestFilter implements RequestFilter {
>
> @Override
> public boolean service(Request request, Response response,
> RequestHandler handler) throws IOException {
> response.addHeader("X-Frame-Options", "my options");
> return handler.service(request, response);
> }
> }
>
> Then just contribute it in a module:
>
> public static void
> contributeRequestHandler(OrderedConfiguration<RequestFilter> conf) {
> conf.addInstance("my-security-headers",
> MySecurityHeadersRequestFilter.class);
> }
>
> On Wed, Oct 3, 2018 at 5:59 PM Ajay Arora <to...@gmail.com> wrote:
>
> > Hello All,
> >
> > We're looking for ways to add different http security headers
> > like X-Frame-Options, X-XSS-Protection and others into the http response.
> > We're using Tapestry 5.4.3.
> >
> > One way I found was to add a additional filter in web.xml before the
> > Tapestry Filter takes over but then it add the headers to all the
> requests
> > like for static files and not sure if X-Frame-Options header etc should
> be
> > included for the response of such type of requests.
> >
> > Feel like we should wait till Tapestry done handling the request and then
> > add the security headers before the response goes to the client but could
> > not find how to do it In Tapestry.
> >
> > is there a better way to do this in Tapestry?
> >
> > Thanks for your help !
> >
>
>
> Ben
> --
>
> Netzgut GmbH
>
Re: Add HTTP security Headers in the response
Posted by Ben Weidig <be...@netzgut.net>.
Hi,
you could use a org.apache.tapestry5.services.RequestFilter.class to access
the response (
http://tapestry.apache.org/current/apidocs//org/apache/tapestry5/services/RequestFilter.html
)
Something like this (untested code):
public class MySecurityHeadersRequestFilter implements RequestFilter {
@Override
public boolean service(Request request, Response response,
RequestHandler handler) throws IOException {
response.addHeader("X-Frame-Options", "my options");
return handler.service(request, response);
}
}
Then just contribute it in a module:
public static void
contributeRequestHandler(OrderedConfiguration<RequestFilter> conf) {
conf.addInstance("my-security-headers",
MySecurityHeadersRequestFilter.class);
}
On Wed, Oct 3, 2018 at 5:59 PM Ajay Arora <to...@gmail.com> wrote:
> Hello All,
>
> We're looking for ways to add different http security headers
> like X-Frame-Options, X-XSS-Protection and others into the http response.
> We're using Tapestry 5.4.3.
>
> One way I found was to add a additional filter in web.xml before the
> Tapestry Filter takes over but then it add the headers to all the requests
> like for static files and not sure if X-Frame-Options header etc should be
> included for the response of such type of requests.
>
> Feel like we should wait till Tapestry done handling the request and then
> add the security headers before the response goes to the client but could
> not find how to do it In Tapestry.
>
> is there a better way to do this in Tapestry?
>
> Thanks for your help !
>
Ben
--
Netzgut GmbH