Merge pull request #393 from NOAA-OWP/github392

Fixing vulnerabilities; refs GitHub #392
NOAA-OWP · Jan 31, 2025 · 57ce297 · 57ce297
2 parents fd0b036 + 5f83068
commit 57ce297
Showing 1 changed file with 13 additions and 0 deletions.
diff --git a/wres-tasker/src/wres/tasker/Tasker.java b/wres-tasker/src/wres/tasker/Tasker.java
@@ -174,6 +174,16 @@ public boolean handle( Request request,
                         .add( "X-Frame-Options", "DENY" );
                 response.getHeaders()
                         .add( "strict-transport-security", "max-age=31536000; includeSubDomains; preload;" );
+                response.getHeaders()
+                        .add( "Content-Security-Policy", "default-src 'self' https: data: blob:;"
+                                + " script-src 'self' 'unsafe-inline' 'unsafe-eval' https: data: blob:;"
+                                + " style-src 'self' 'unsafe-inline' https: data: blob:;"
+                                + " img-src 'self' data: https:;"
+                                + " font-src 'self' data:;"
+                                + " connect-src 'self' https:;"
+                                + " object-src 'none';");
+                response.getHeaders()
+                        .add( "Referrer-Policy", "strict-origin-when-cross-origin" );
                 return super.handle( request, response, callback );
             }
         };
@@ -196,6 +206,9 @@ public boolean handle( Request request,
 
         HttpConfiguration httpConfig = new HttpConfiguration();
 
+        // Remover Server from the response headers.
+        httpConfig.setSendServerVersion( false );
+
         // Support HTTP/1.1
         HttpConnectionFactory httpOneOne = new HttpConnectionFactory( httpConfig );