sequence

This paper mainly studies the spring cloud SecureHeadersGatewayFilter gateway

GatewayAutoConfiguration

@Configuration
@ConditionalOnProperty(name = "spring.cloud.gateway.enabled", matchIfMissing = true)
@EnableConfigurationProperties
@AutoConfigureBefore(HttpHandlerAutoConfiguration.class)
@AutoConfigureAfter({GatewayLoadBalancerClientAutoConfiguration.class, GatewayClassPathWarningAutoConfiguration.class})
@ConditionalOnClass(DispatcherHandler.class)
public class GatewayAutoConfiguration {
    //......
    @Bean
	public SecureHeadersGatewayFilterFactory secureHeadersGatewayFilterFactory(SecureHeadersProperties properties) {
		returnnew SecureHeadersGatewayFilterFactory(properties); } / /... }Copy the code

SecureHeadersProperties

Configuration items

    {
      "sourceType": "org.springframework.cloud.gateway.filter.factory.SecureHeadersProperties"."defaultValue": "default-src 'self' https:; font-src 'self' https: data:; img-src 'self' https: data:; object-src 'none'; script-src https:; style-src 'self' https: 'unsafe-inline'"."name": "spring.cloud.gateway.filter.secure-headers.content-security-policy"."type": "java.lang.String"
    },
    {
      "sourceType": "org.springframework.cloud.gateway.filter.factory.SecureHeadersProperties"."defaultValue": "nosniff"."name": "spring.cloud.gateway.filter.secure-headers.content-type-options"."type": "java.lang.String"
    },
    {
      "sourceType": "org.springframework.cloud.gateway.filter.factory.SecureHeadersProperties"."defaultValue": "noopen"."name": "spring.cloud.gateway.filter.secure-headers.download-options"."type": "java.lang.String"
    },
    {
      "sourceType": "org.springframework.cloud.gateway.filter.factory.SecureHeadersProperties"."defaultValue": "DENY"."name": "spring.cloud.gateway.filter.secure-headers.frame-options"."type": "java.lang.String"
    },
    {
      "sourceType": "org.springframework.cloud.gateway.filter.factory.SecureHeadersProperties"."defaultValue": "none"."name": "spring.cloud.gateway.filter.secure-headers.permitted-cross-domain-policies"."type": "java.lang.String"
    },
    {
      "sourceType": "org.springframework.cloud.gateway.filter.factory.SecureHeadersProperties"."defaultValue": "no-referrer"."name": "spring.cloud.gateway.filter.secure-headers.referrer-policy"."type": "java.lang.String"
    },
    {
      "sourceType": "org.springframework.cloud.gateway.filter.factory.SecureHeadersProperties"."defaultValue": "max-age=631138519"."name": "spring.cloud.gateway.filter.secure-headers.strict-transport-security"."type": "java.lang.String"
    },
    {
      "sourceType": "org.springframework.cloud.gateway.filter.factory.SecureHeadersProperties"."defaultValue": "1. mode=block"."name": "spring.cloud.gateway.filter.secure-headers.xss-protection-header"."type": "java.lang.String"
    }
Copy the code

Entity class

Spring – the cloud – gateway – core – 2.0.0. RC1 – sources. The jar! /org/springframework/cloud/gateway/filter/factory/SecureHeadersProperties.java

@ConfigurationProperties("spring.cloud.gateway.filter.secure-headers")
public class SecureHeadersProperties {
	public static final String X_XSS_PROTECTION_HEADER_DEFAULT = "1. mode=block";
	public static final String STRICT_TRANSPORT_SECURITY_HEADER_DEFAULT = "max-age=631138519"; / /; includeSubDomains preload") public static final String X_FRAME_OPTIONS_HEADER_DEFAULT = "DENY"; //SAMEORIGIN = ALLOW-FROM public static final String X_CONTENT_TYPE_OPTIONS_HEADER_DEFAULT = "nosniff"; public static final String REFERRER_POLICY_HEADER_DEFAULT = "no-referrer"; //no-referrer-when-downgrade = origin = origin-when-cross-origin = same-origin = strict-origin = strict-origin-when-cross-origin = unsafe-url public static final String CONTENT_SECURITY_POLICY_HEADER_DEFAULT = "default-src 'self' https:; font-src 'self' https: data:; img-src 'self' https: data:; object-src 'none'; script-src https:; style-src 'self' https: 'unsafe-inline'"; public static final String X_DOWNLOAD_OPTIONS_HEADER_DEFAULT = "noopen"; public static final String X_PERMITTED_CROSS_DOMAIN_POLICIES_HEADER_DEFAULT = "none"; private String xssProtectionHeader = X_XSS_PROTECTION_HEADER_DEFAULT; private String strictTransportSecurity = STRICT_TRANSPORT_SECURITY_HEADER_DEFAULT; private String frameOptions = X_FRAME_OPTIONS_HEADER_DEFAULT; private String contentTypeOptions = X_CONTENT_TYPE_OPTIONS_HEADER_DEFAULT; private String referrerPolicy = REFERRER_POLICY_HEADER_DEFAULT; private String contentSecurityPolicy = CONTENT_SECURITY_POLICY_HEADER_DEFAULT; private String downloadOptions = X_DOWNLOAD_OPTIONS_HEADER_DEFAULT; private String permittedCrossDomainPolicies = X_PERMITTED_CROSS_DOMAIN_POLICIES_HEADER_DEFAULT; / /... @Override public String toString() { final StringBuffer sb = new StringBuffer("SecureHeadersProperties{"); sb.append("xssProtectionHeader='").append(xssProtectionHeader).append('\' ');
		sb.append(", strictTransportSecurity='").append(strictTransportSecurity).append('\''); sb.append(", frameOptions='").append(frameOptions).append('\''); sb.append(", contentTypeOptions='").append(contentTypeOptions).append('\' ');
		sb.append(", referrerPolicy='").append(referrerPolicy).append('\''); sb.append(", contentSecurityPolicy='").append(contentSecurityPolicy).append('\''); sb.append(", downloadOptions='").append(downloadOptions).append('\' ');
		sb.append(", permittedCrossDomainPolicies='").append(permittedCrossDomainPolicies).append('\''); sb.append('}'); return sb.toString(); }}Copy the code

SecureHeadersGatewayFilterFactory

Spring – the cloud – gateway – core – 2.0.0. RC1 – sources. The jar! /org/springframework/cloud/gateway/filter/factory/SecureHeadersGatewayFilterFactory.java

/**
 * https://blog.appcanary.com/2017/http-security-headers.html
 * @author Spencer Gibb
 */
public class SecureHeadersGatewayFilterFactory extends AbstractGatewayFilterFactory {

	public static final String X_XSS_PROTECTION_HEADER = "X-Xss-Protection";
	public static final String STRICT_TRANSPORT_SECURITY_HEADER = "Strict-Transport-Security";
	public static final String X_FRAME_OPTIONS_HEADER = "X-Frame-Options";
	public static final String X_CONTENT_TYPE_OPTIONS_HEADER = "X-Content-Type-Options";
	public static final String REFERRER_POLICY_HEADER = "Referrer-Policy";
	public static final String CONTENT_SECURITY_POLICY_HEADER = "Content-Security-Policy";
	public static final String X_DOWNLOAD_OPTIONS_HEADER = "X-Download-Options";
	public static final String X_PERMITTED_CROSS_DOMAIN_POLICIES_HEADER = "X-Permitted-Cross-Domain-Policies";

	private final SecureHeadersProperties properties;

	public SecureHeadersGatewayFilterFactory(SecureHeadersProperties properties) {
		this.properties = properties;
	}

	@Override
	public GatewayFilter apply(Object config) {
		//TODO: allow args to override properties

		return (exchange, chain) -> {
			HttpHeaders headers = exchange.getResponse().getHeaders();

			//TODO: allow header to be disabled
			headers.add(X_XSS_PROTECTION_HEADER, properties.getXssProtectionHeader());
			headers.add(STRICT_TRANSPORT_SECURITY_HEADER, properties.getStrictTransportSecurity());
			headers.add(X_FRAME_OPTIONS_HEADER, properties.getFrameOptions());
			headers.add(X_CONTENT_TYPE_OPTIONS_HEADER, properties.getContentTypeOptions());
			headers.add(REFERRER_POLICY_HEADER, properties.getReferrerPolicy());
			headers.add(CONTENT_SECURITY_POLICY_HEADER, properties.getContentSecurityPolicy());
			headers.add(X_DOWNLOAD_OPTIONS_HEADER, properties.getDownloadOptions());
			headers.add(X_PERMITTED_CROSS_DOMAIN_POLICIES_HEADER, properties.getPermittedCrossDomainPolicies());

			returnchain.filter(exchange); }; }}Copy the code

You can see that the filter adds a series of security-related headers to the response headers

summary

SecureHeadersGatewayFilter add the following to the response headers

  • X-Xss-Protection

spring.cloud.gateway.filter.secure-headers.xss-protection-header=1 ; mode=block

  • Strict-Transport-Security

spring.cloud.gateway.filter.secure-headers.strict-transport-security=max-age=631138519

  • X-Frame-Options

spring.cloud.gateway.filter.secure-headers.frame-options=DENY

  • X-Content-Type-Options

spring.cloud.gateway.filter.secure-headers.content-type-options=nosniff

  • Referrer-Policy

spring.cloud.gateway.filter.secure-headers.referrer-policy=no-referrer

  • Content-Security-Policy

spring.cloud.gateway.filter.secure-headers.content-security-policy=default-src ‘self’ https:; font-src ‘self’ https: data:; img-src ‘self’ https: data:; object-src ‘none’; script-src https:; style-src ‘self’ https: ‘unsafe-inline’

  • X-Download-Options

spring.cloud.gateway.filter.secure-headers.download-options=noopen

  • X-Permitted-Cross-Domain-Policies

spring.cloud.gateway.filter.secure-headers.permitted-cross-domain-policies=none

doc

  • Everything you need to know about HTTP security headers
  • 112.14 SecureHeaders GatewayFilter Factory