Adding Security Headers in response of spring MVC Application

Question

I want to add below headers in the response header in Spring MVC :

X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff

I have written below code in MvcConfig file which extends WebMvcConfigurerAdapter.

 @Bean 
    public Filter securityHeadersFilter() { 
        return new OncePerRequestFilter(){ 
            @Override 
            protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException { 
                filterChain.doFilter(request, response); 

                response.setHeader("X-XSS-Protection", "1; mode=block"); 
                response.setHeader("X-Content-Type-Options", "nosniff"); 
            } 
        };
     }

now, when I hit request, and see the response header on Browser, these two headers doesn't come. I nowhere registered the filter with urlPattern. Is this the problem or I missed some other thing? if urlpattern configuration is the problem then plz tell me how and where to configure it.

Anyway, My ultimate goal is to get above two security headers in Response header.

Answer 1

It's quite simple to add new security header in you response in spring framework, I am listing here all the most commonly used security headers:-
Code is:
1) first write a customize new filter

package com.mypackage;
    import java.io.IOException;

    import javax.servlet.FilterChain;
    import javax.servlet.ServletException;
    import javax.servlet.http.HttpServletRequest;
    import javax.servlet.http.HttpServletResponse;

    import org.slf4j.Logger;
    import org.slf4j.LoggerFactory;
    import org.springframework.web.filter.OncePerRequestFilter;

        public class AddHeaderFilter extends OncePerRequestFilter {

            private static final Logger LOG = LoggerFactory.getLogger(AddHeaderFilter.class);
            @Override
            protected void doFilterInternal(HttpServletRequest request,
                                            HttpServletResponse response, FilterChain filterChain)throws ServletException, IOException {

                    response.setHeader("X-XSS-Protection", "1; mode=block");
                    response.setHeader("Strict-Transport-Security", "max-age=31536000; includeSubDomains"); 
                    response.setHeader("X-Content-Type-Options", "nosniff"); 
                    response.setHeader("Cache-control", "no-store, no-cache"); 
                    response.setHeader("X-Frame-Options", "DENY"); 
                    response.setHeader("Set-Cookie", "XSRF-TOKEN=NDKDdfdsfkldsfNd3SZAJfwLsTl5WUgOkE; Path=/; Secure;HttpOnly");
                    filterChain.doFilter(request, response);

                    LOG.info("Exit: AddHeaderFilter");


            }

        }

2) Now configure this filter to your web.xml file.

<filter>
      <filter-name>addHeaderFilter</filter-name>
      <filter-class>com.mypackage.AddHeaderFilter</filter-class>
    </filter>

    <filter-mapping>
      <filter-name>addHeaderFilter</filter-name>
      <url-pattern>/api/*</url-pattern>
    </filter-mapping>

That's all. Now hit your API and watch the response back. you will get these headers in your response. :)

Answer 2

Spring Security, starting from 3.2 version, add these headers for your.

More info about its configuration:

• http://docs.spring.io/spring-security/site/docs/4.2.x/reference/html/headers.html#headers-xss-protection
• http://docs.spring.io/spring-security/site/docs/4.2.x/reference/html/headers.html#headers-content-type-options

Of course, it works only if you are using Spring Security in the project :)