24. Mozilla_Observatory_Example - klopfdreh/wicket-components-playground GitHub Wiki

Some days ago Mozilla released their web page to check other web pages for security relevant issues:

https://observatory.mozilla.org

Here are some tips how to get a A+ grade:

Add this RequestCycleListener to your Application

	@Override
	protected void init()
	{
		super.init();
		getRequestCycleListeners().add(new AbstractRequestCycleListener(){
			@Override
			public void onEndRequest(RequestCycle cycle)
			{
				((WebResponse)cycle.getResponse()).setHeader("X-XSS-Protection", "1; mode=block");
				((WebResponse)cycle.getResponse()).setHeader("Strict-Transport-Security", "max-age=31536000; includeSubDomains; preload");
				((WebResponse)cycle.getResponse()).setHeader("X-Content-Type-Options", "nosniff");
				((WebResponse)cycle.getResponse()).setHeader("X-Frame-Options", "DENY");
				((WebResponse)cycle.getResponse()).setHeader("Content-Security-Policy", "default-src https:");
			}
		});
	}

Add the following lines to your web.xml:

	<!-- Force SSL for entire site -->
	<security-constraint>
		<web-resource-collection>
			<web-resource-name>Entire Application</web-resource-name>
			<url-pattern>/*</url-pattern>
		</web-resource-collection>
		<user-data-constraint>
			<transport-guarantee>CONFIDENTIAL</transport-guarantee>
		</user-data-constraint>
	</security-constraint>

And of course check your web application if it is still working. If not you have to check why there are issues (one example would be that images are load from other domains)