com.helger.xservlet.filter

Class XServletFilterSecurityXFrameOptions

java.lang.Object

com.helger.xservlet.filter.XServletFilterSecurityXFrameOptions

All Implemented Interfaces:

IXServletLowLevelFilter, Serializable

public class XServletFilterSecurityXFrameOptions
extends Object
implements IXServletLowLevelFilter

Avoid Clickjacking attack using the 'X-Frame-Options' HTTP header.

Since:

9.1.1

Author:

Philip Helger

See Also:

Serialized Form

Constructor Summary

Constructors

Constructor and Description
XServletFilterSecurityXFrameOptions(com.helger.servlet.response.EXFrameOptionType eType, com.helger.commons.url.ISimpleURL aDomain) The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe> or <object> .

Method Summary

Modifier and Type	Method and Description
com.helger.commons.state.EContinue	beforeRequest(javax.servlet.http.HttpServletRequest aHttpRequest, javax.servlet.http.HttpServletResponse aHttpResponse, com.helger.http.EHttpVersion eHttpVersion, com.helger.commons.http.EHttpMethod eHttpMethod) Invoked before an XServlet request is handled.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface com.helger.xservlet.filter.IXServletLowLevelFilter

afterRequest

Constructor Detail

XServletFilterSecurityXFrameOptions

public XServletFilterSecurityXFrameOptions(@Nonnull
                                           com.helger.servlet.response.EXFrameOptionType eType,
                                           @Nullable
                                           com.helger.commons.url.ISimpleURL aDomain)

The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe> or <object> . Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites. Example:

 X-Frame-Options: DENY
 X-Frame-Options: SAMEORIGIN
 X-Frame-Options: ALLOW-FROM https://example.com/
 

Parameters:

eType - The X-Frame-Options type to be set. May not be null.

aDomain - The domain URL to be used in "ALLOW-FROM". May be null for the other cases.

Method Detail

beforeRequest

@Nonnull
public com.helger.commons.state.EContinue beforeRequest(@Nonnull
                                                                  javax.servlet.http.HttpServletRequest aHttpRequest,
                                                                  @Nonnull
                                                                  javax.servlet.http.HttpServletResponse aHttpResponse,
                                                                  @Nonnull
                                                                  com.helger.http.EHttpVersion eHttpVersion,
                                                                  @Nonnull
                                                                  com.helger.commons.http.EHttpMethod eHttpMethod)

Description copied from interface: IXServletLowLevelFilter

Invoked before an XServlet request is handled. This method is created before the request is created! Exceptions occurring in this method will be propagated to the outside, so be careful :)

Specified by:

beforeRequest in interface IXServletLowLevelFilter

Parameters:

aHttpRequest - HTTP servlet request. Never null.

aHttpResponse - HTTP servlet response. Never null.

eHttpVersion - HTTP version. Never null.

eHttpMethod - HTTP method. Never null.

Returns:

EContinue.CONTINUE to continue processing, or EContinue.BREAK if this request should not be processed, in which case the HttpServletResponse must contain a valid response!