tapestry-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ajay Arora <toajayar...@gmail.com>
Subject Re: Add HTTP security Headers in the response
Date Wed, 03 Oct 2018 18:00:32 GMT
Thank you the quick response and solution.

is this way of putting the headers gives us any advantages over having
filter in front of Tapestry filter like may be better performance ?
I believe the built-in Tapestry filters would be called before any custom
filter(s) and one of those filter like 'StaticFilesFilter' might skip some
requests going further to the new custom filter? And, I still needs to
parse the resource type in custom filter before setting a particular header
like x-frame-options does not make sense a image?

Thanks for your help !


On Wed, Oct 3, 2018 at 12:11 PM Ben Weidig <ben@netzgut.net> wrote:

> Hi,
>
> you could use a org.apache.tapestry5.services.RequestFilter.class to access
> the response (
>
> http://tapestry.apache.org/current/apidocs//org/apache/tapestry5/services/RequestFilter.html
> )
>
> Something like this (untested code):
>
> public class MySecurityHeadersRequestFilter implements RequestFilter {
>
>     @Override
>     public boolean service(Request request, Response response,
> RequestHandler handler) throws IOException {
>         response.addHeader("X-Frame-Options", "my options");
>         return handler.service(request, response);
>     }
> }
>
> Then just contribute it in a module:
>
> public static void
> contributeRequestHandler(OrderedConfiguration<RequestFilter> conf) {
>     conf.addInstance("my-security-headers",
> MySecurityHeadersRequestFilter.class);
> }
>
> On Wed, Oct 3, 2018 at 5:59 PM Ajay Arora <toajayarora@gmail.com> wrote:
>
> > Hello All,
> >
> > We're looking for ways to add different http security headers
> > like X-Frame-Options, X-XSS-Protection and others into the http response.
> > We're using Tapestry 5.4.3.
> >
> > One way I found was to add a additional filter in web.xml before the
> > Tapestry Filter takes over but then it add the headers to all the
> requests
> > like for static files and not sure if  X-Frame-Options header etc should
> be
> > included for the response of such type of requests.
> >
> > Feel like we should wait till Tapestry done handling the request and then
> > add the security headers before the response goes to the client but could
> > not find how to do it In Tapestry.
> >
> > is there a better way to do this in Tapestry?
> >
> > Thanks for your help !
> >
>
>
> Ben
> --
>
> Netzgut GmbH
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message