From 5f830688b54e7a3addb382d70b668c611c72acc8 Mon Sep 17 00:00:00 2001 From: HankHerr-NOAA Date: Fri, 31 Jan 2025 14:45:10 +0000 Subject: [PATCH] Fixing vulnerabilities; refs GitHub #392 --- wres-tasker/src/wres/tasker/Tasker.java | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/wres-tasker/src/wres/tasker/Tasker.java b/wres-tasker/src/wres/tasker/Tasker.java index 890315618..d27020688 100644 --- a/wres-tasker/src/wres/tasker/Tasker.java +++ b/wres-tasker/src/wres/tasker/Tasker.java @@ -174,6 +174,16 @@ public boolean handle( Request request, .add( "X-Frame-Options", "DENY" ); response.getHeaders() .add( "strict-transport-security", "max-age=31536000; includeSubDomains; preload;" ); + response.getHeaders() + .add( "Content-Security-Policy", "default-src 'self' https: data: blob:;" + + " script-src 'self' 'unsafe-inline' 'unsafe-eval' https: data: blob:;" + + " style-src 'self' 'unsafe-inline' https: data: blob:;" + + " img-src 'self' data: https:;" + + " font-src 'self' data:;" + + " connect-src 'self' https:;" + + " object-src 'none';"); + response.getHeaders() + .add( "Referrer-Policy", "strict-origin-when-cross-origin" ); return super.handle( request, response, callback ); } }; @@ -196,6 +206,9 @@ public boolean handle( Request request, HttpConfiguration httpConfig = new HttpConfiguration(); + // Remover Server from the response headers. + httpConfig.setSendServerVersion( false ); + // Support HTTP/1.1 HttpConnectionFactory httpOneOne = new HttpConnectionFactory( httpConfig );