MashZone NextGen HTTP header security filter

MashZone NextGen provides a specific HTTP header security filter included in the web.xml file. By default, this filter always sends the X-Frame-Option: SAMEORIGIN, that can be configured to send ALLOW-FROM to any number of trusted websites. This HTTP response header instructs the browser to refuse to render any content from MashZone NextGen in an iFrame, unless the iFrame is within MashZone NextGen itself.

HttpHeaderSecurityFilter

Following the commented configuration in the web.xml file.

<filter> <filter-name>HTTP Header Security Filter</filter-name> <filter-class> com.jackbe.jbp.sas.security.ui.http.HttpHeaderSecurityFilter </filter-class> <!-- Init Param: antiClickJackingEnabled Should the anti click-jacking header (X-Frame-Options) be set on the response. Valid options: true or false When true, X-Frame-Options will always contain "SAMEORIGIN". This instructs browsers to disallow iframing of MzNG content outside of the MzNG application itself. If false, X-Frame-Options will not be sent at all, which completely disables clickjacking protection allows any site to iframe MzNG) Note: X-Frame-Options is superseded by Content-Security-Policy. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options --> <init-param> <param-name>antiClickJackingEnabled</param-name> <param-value>true</param-value> </init-param> <!-- Init Param: antiClickJackingUris List of comma separated Uris for sites allowed to iframe content in MzNG. To allow external sites to iframe MzNG content, uncomment this init param, and add the site uri to the list. Also configure the 'Content Security Policy' filter below. If the request to MzNG contains a referer value matching the scheme, host and port of one of the Uris in the list, the X-Frame-Options header will send "ALLOW-FROM uri'. This allows the browser to render the iframe. If there is no match (or the list is empty) X-Frame-Options will send "SAMEORIGIN" and the browser will refuse to render the iframe Any site added to this list should also be added to 'Content Security Policy' header. <init-param> <param-name>antiClickJackingUris</param-name> <param-value>http://some-server.com</param-value> </init-param> --> <!-- Init param: hstsEnabled Enable HTTP Strict Transport Security (HSTS) header (Strict-Transport-Security) to be set on the response for secure requests --> <init-param> <param-name>hstsEnabled</param-name> <param-value>true</param-value> </init-param> <!-- Init Param: hstsMaxAgeSeconds The max age value that should be used in the HSTS header. Negative values will be treated as zero. If not specified, the default value of 0 will be used. --> <init-param> <param-name>hstsMaxAgeSeconds</param-name> <param-value>604800</param-value> </init-param> </filter> <filter-mapping> <filter-name>HTTP Header Security Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>

The antiClickJackingUris parameters can take a list of comma separated URIs. The parameter is commented out by default. Any request for a MashZone NextGen resource containing a "Referer" header field matching the scheme, host and port of a URI in the antiClickJackingUris parameter will result in a response containing the X-Frame-Options response header with the appropriate ALLOW-FROM value. If there is no match, then the X-Frame-Options will carry the SAMEORIGIN value.