Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
41 changes: 41 additions & 0 deletions core/src/main/java/google/registry/ui/server/CspFilter.java
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
// Copyright 2026 The Nomulus Authors. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package google.registry.ui.server;

import jakarta.servlet.Filter;
import jakarta.servlet.FilterChain;
import jakarta.servlet.ServletException;
import jakarta.servlet.ServletRequest;
import jakarta.servlet.ServletResponse;
import jakarta.servlet.http.HttpServletResponse;
import java.io.IOException;

/** Filter to inject security headers, including CSP, for defense-in-depth. */
public class CspFilter implements Filter {

private static final String CSP_POLICY =
"default-src 'self'; object-src 'none'; base-uri 'self';";

@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException {
if (response instanceof HttpServletResponse httpResponse) {
httpResponse.setHeader("Content-Security-Policy", CSP_POLICY);
httpResponse.setHeader("X-Content-Type-Options", "nosniff");
httpResponse.setHeader("X-Frame-Options", "DENY");
}
chain.doFilter(request, response);
}
}
44 changes: 44 additions & 0 deletions core/src/test/java/google/registry/ui/server/CspFilterTest.java
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
// Copyright 2026 The Nomulus Authors. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package google.registry.ui.server;

import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.verify;

import jakarta.servlet.FilterChain;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import org.junit.jupiter.api.Test;

/** Unit tests for {@link CspFilter}. */
class CspFilterTest {

@Test
void testDoFilter_setsHeaders() throws Exception {
CspFilter filter = new CspFilter();
HttpServletRequest request = mock(HttpServletRequest.class);
HttpServletResponse response = mock(HttpServletResponse.class);
FilterChain chain = mock(FilterChain.class);

filter.doFilter(request, response, chain);

verify(response)
.setHeader(
"Content-Security-Policy", "default-src 'self'; object-src 'none'; base-uri 'self';");
verify(response).setHeader("X-Content-Type-Options", "nosniff");
verify(response).setHeader("X-Frame-Options", "DENY");
verify(chain).doFilter(request, response);
}
}
4 changes: 4 additions & 0 deletions jetty/src/main/jetty-base/start.d/ee10-servlets.ini
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
# ---------------------------------------
# Module: ee10-servlets
# ---------------------------------------
--module=ee10-servlets
16 changes: 16 additions & 0 deletions jetty/src/main/jetty-base/webapps/console/WEB-INF/web.xml
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,22 @@
xsi:schemaLocation="https://jakarta.ee/xml/ns/jakartaee https://jakarta.ee/xml/ns/jakartaee/web-app_5_0.xsd"
version="5.0">

<filter>
<filter-name>CspHeaderFilter</filter-name>
<filter-class>org.eclipse.jetty.ee10.servlets.HeaderFilter</filter-class>
<init-param>
<param-name>headerConfig</param-name>
<param-value>
set Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; object-src 'none'; base-uri 'self';
</param-value>
</init-param>
</filter>

<filter-mapping>
<filter-name>CspHeaderFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>

<servlet>
<servlet-name>default-no-cache</servlet-name>
<servlet-class>org.eclipse.jetty.ee10.servlet.DefaultServlet</servlet-class>
Expand Down
11 changes: 11 additions & 0 deletions jetty/src/main/webapp/WEB-INF/web.xml
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,17 @@
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="https://jakarta.ee/xml/ns/jakartaee https://jakarta.ee/xml/ns/jakartaee/web-app_6_0.xsd"
version="6.0">
<!-- Filters -->
<filter>
<filter-name>CspFilter</filter-name>
<filter-class>google.registry.ui.server.CspFilter</filter-class>
</filter>

<filter-mapping>
<filter-name>CspFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>

<!-- Servlets -->

<!-- Servlet for injected frontend actions -->
Expand Down
Loading