2016-02-03 10:20:22 +00:00
|
|
|
/*
|
|
|
|
|
* Copyright 2016 Red Hat, Inc. and/or its affiliates
|
|
|
|
|
* and other contributors as indicated by the @author tags.
|
|
|
|
|
*
|
|
|
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
|
* you may not use this file except in compliance with the License.
|
|
|
|
|
* You may obtain a copy of the License at
|
|
|
|
|
*
|
|
|
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
|
*
|
|
|
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
|
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
|
* See the License for the specific language governing permissions and
|
|
|
|
|
* limitations under the License.
|
|
|
|
|
*/
|
|
|
|
|
|
2015-07-17 11:45:43 +00:00
|
|
|
package org.keycloak.models;
|
|
|
|
|
|
|
|
|
|
import java.util.Collections;
|
|
|
|
|
import java.util.HashMap;
|
|
|
|
|
import java.util.Map;
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
|
|
|
|
|
* @version $Revision: 1 $
|
|
|
|
|
*/
|
|
|
|
|
public class BrowserSecurityHeaders {
|
|
|
|
|
public static final Map<String, String> headerAttributeMap;
|
|
|
|
|
public static final Map<String, String> defaultHeaders;
|
|
|
|
|
|
|
|
|
|
static {
|
2016-03-11 14:25:21 +00:00
|
|
|
Map<String, String> headerMap = new HashMap<>();
|
2015-07-17 11:45:43 +00:00
|
|
|
headerMap.put("xFrameOptions", "X-Frame-Options");
|
|
|
|
|
headerMap.put("contentSecurityPolicy", "Content-Security-Policy");
|
2018-08-25 00:16:19 +00:00
|
|
|
headerMap.put("contentSecurityPolicyReportOnly", "Content-Security-Policy-Report-Only");
|
2016-03-11 14:25:21 +00:00
|
|
|
headerMap.put("xContentTypeOptions", "X-Content-Type-Options");
|
2017-04-04 07:56:48 +00:00
|
|
|
headerMap.put("xRobotsTag", "X-Robots-Tag");
|
2017-04-10 09:20:07 +00:00
|
|
|
headerMap.put("xXSSProtection", "X-XSS-Protection");
|
2017-10-19 21:32:21 +00:00
|
|
|
headerMap.put("strictTransportSecurity", "Strict-Transport-Security");
|
2015-07-17 11:45:43 +00:00
|
|
|
|
2016-03-11 14:25:21 +00:00
|
|
|
Map<String, String> dh = new HashMap<>();
|
2015-07-17 11:45:43 +00:00
|
|
|
dh.put("xFrameOptions", "SAMEORIGIN");
|
2017-08-28 04:46:03 +00:00
|
|
|
dh.put("contentSecurityPolicy", "frame-src 'self'; frame-ancestors 'self'; object-src 'none';");
|
2018-08-25 00:16:19 +00:00
|
|
|
dh.put("contentSecurityPolicyReportOnly", "");
|
2016-03-11 14:25:21 +00:00
|
|
|
dh.put("xContentTypeOptions", "nosniff");
|
2017-04-04 07:56:48 +00:00
|
|
|
dh.put("xRobotsTag", "none");
|
2017-04-10 09:20:07 +00:00
|
|
|
dh.put("xXSSProtection", "1; mode=block");
|
2017-10-19 21:32:21 +00:00
|
|
|
dh.put("strictTransportSecurity", "max-age=31536000; includeSubDomains");
|
2015-07-17 11:45:43 +00:00
|
|
|
|
|
|
|
|
defaultHeaders = Collections.unmodifiableMap(dh);
|
|
|
|
|
headerAttributeMap = Collections.unmodifiableMap(headerMap);
|
|
|
|
|
}
|
2017-08-28 04:46:03 +00:00
|
|
|
}
|
