- private void tryAuthWithCertificate(HttpServletRequest req,
- X509Certificate x509Certificate) {
- String serial = x509Certificate.getSerialNumber().toString(16)
- .toUpperCase();
- try {
- PreparedStatement ps = DatabaseConnection
- .getInstance()
- .prepare(
- "SELECT `memid` FROM `emailcerts` WHERE `serial`=? AND `disablelogin`='0' AND `revoked` = "
- + "'0000-00-00 00:00:00'");
- ps.setString(1, serial);
- ResultSet rs = ps.executeQuery();
- if (rs.next()) {
- HttpSession hs = req.getSession();
- hs.setAttribute(LOGGEDIN, true);
- hs.setAttribute(USER, new User(rs.getInt(1)));
- }
- rs.close();
- } catch (SQLException e) {
- e.printStackTrace();
+
+ public static void addXSSHeaders(HttpServletResponse hsr) {
+ hsr.addHeader("Access-Control-Allow-Origin", "https://"
+ + ServerConstants.getWwwHostNamePort() + " https://"
+ + ServerConstants.getSecureHostNamePort());
+ hsr.addHeader("Access-Control-Max-Age", "60");
+
+ hsr.addHeader("Content-Security-Policy", getDefaultCSP());
+ hsr.addHeader("Strict-Transport-Security", "max-age=31536000");
+
+ }
+ private static String defaultCSP = null;
+ private static String getDefaultCSP() {
+ if (defaultCSP == null) {
+ StringBuffer csp = new StringBuffer();
+ csp.append("default-src 'none';");
+ csp.append("font-src https://"
+ + ServerConstants.getStaticHostNamePort());
+ csp.append(";img-src https://"
+ + ServerConstants.getStaticHostNamePort());
+ csp.append(";media-src 'none'; object-src 'none';");
+ csp.append("script-src https://"
+ + ServerConstants.getStaticHostNamePort());
+ csp.append(";style-src https://"
+ + ServerConstants.getStaticHostNamePort());
+ csp.append(";form-action https://"
+ + ServerConstants.getSecureHostNamePort() + " https://"
+ + ServerConstants.getWwwHostNamePort());
+ csp.append("report-url https://api.cacert.org/security/csp/report");
+ defaultCSP = csp.toString();