StubbornJava
diff --git a/‎stubbornjava-common/src/main/java/com/stubbornjava/common/undertow/handlers/CustomHandlers.java
Lines changed: 22 additions & 0 deletions b/‎stubbornjava-common/src/main/java/com/stubbornjava/common/undertow/handlers/CustomHandlers.java
Lines changed: 22 additions & 0 deletions
diff --git a/‎stubbornjava-common/src/main/java/com/stubbornjava/common/undertow/handlers/Middleware.java
Lines changed: 3 additions & 1 deletion b/‎stubbornjava-common/src/main/java/com/stubbornjava/common/undertow/handlers/Middleware.java
Lines changed: 3 additions & 1 deletion
diff --git a/‎stubbornjava-undertow/src/main/java/com/stubbornjava/undertow/handlers/ReferrerPolicyHandlers.java
Lines changed: 32 additions & 0 deletions b/‎stubbornjava-undertow/src/main/java/com/stubbornjava/undertow/handlers/ReferrerPolicyHandlers.java
Lines changed: 32 additions & 0 deletions
diff --git a/‎stubbornjava-undertow/src/main/java/com/stubbornjava/undertow/handlers/StrictTransportSecurityHandlers.java
Lines changed: 16 additions & 0 deletions b/‎stubbornjava-undertow/src/main/java/com/stubbornjava/undertow/handlers/StrictTransportSecurityHandlers.java
Lines changed: 16 additions & 0 deletions
diff --git a/‎stubbornjava-undertow/src/main/java/com/stubbornjava/undertow/handlers/XContentTypeOptionsHandler.java
Lines changed: 12 additions & 0 deletions b/‎stubbornjava-undertow/src/main/java/com/stubbornjava/undertow/handlers/XContentTypeOptionsHandler.java
Lines changed: 12 additions & 0 deletions
diff --git a/‎stubbornjava-undertow/src/main/java/com/stubbornjava/undertow/handlers/XFrameOptionsHandlers.java
Lines changed: 34 additions & 0 deletions b/‎stubbornjava-undertow/src/main/java/com/stubbornjava/undertow/handlers/XFrameOptionsHandlers.java
Lines changed: 34 additions & 0 deletions
diff --git a/‎stubbornjava-undertow/src/main/java/com/stubbornjava/undertow/handlers/XXssProtectionHandlers.java
Lines changed: 20 additions & 0 deletions b/‎stubbornjava-undertow/src/main/java/com/stubbornjava/undertow/handlers/XXssProtectionHandlers.java
Lines changed: 20 additions & 0 deletions
diff --git a/‎stubbornjava-webapp/src/main/java/com/stubbornjava/webapp/StubbornJavaWebApp.java
Lines changed: 5 additions & 3 deletions b/‎stubbornjava-webapp/src/main/java/com/stubbornjava/webapp/StubbornJavaWebApp.java
Lines changed: 5 additions & 3 deletions
@@ -14,6 +14,13 @@
 import com.stubbornjava.common.HealthChecks;
 import com.stubbornjava.common.Metrics;
 import com.stubbornjava.common.undertow.Exchange;
+import com.stubbornjava.undertow.handlers.MiddlewareBuilder;
+import com.stubbornjava.undertow.handlers.ReferrerPolicyHandlers;
+import com.stubbornjava.undertow.handlers.ReferrerPolicyHandlers.ReferrerPolicy;
+import com.stubbornjava.undertow.handlers.StrictTransportSecurityHandlers;
+import com.stubbornjava.undertow.handlers.XContentTypeOptionsHandler;
+import com.stubbornjava.undertow.handlers.XFrameOptionsHandlers;
+import com.stubbornjava.undertow.handlers.XXssProtectionHandlers;
 import com.stubbornjava.undertow.handlers.accesslog.Slf4jAccessLogReceiver;
 
 import io.undertow.Handlers;
@@ -144,4 +151,19 @@ public static HttpHandler loadBalancerHttpToHttps(HttpHandler next) {
             next.handleRequest(exchange);
         };
     }
+
+    public static HttpHandler securityHeaders(HttpHandler next, ReferrerPolicy policy) {
+        MiddlewareBuilder security = MiddlewareBuilder
+            .begin(XFrameOptionsHandlers::deny)
+            .next(XXssProtectionHandlers::enableAndBlock)
+            .next(XContentTypeOptionsHandler::nosniff)
+            .next(handler -> ReferrerPolicyHandlers.policy(handler, policy));
+
+        // TODO: Only add HSTS if we are not local. We should probably
+        // use a self signed cert locally for a better test env
+        if (Env.LOCAL != Env.get()) {
+            security = security.next(handler -> StrictTransportSecurityHandlers.hstsIncludeSubdomains(handler, 31536000L));
+        }
+        return security.complete(next);
+    }
 }
@@ -1,15 +1,17 @@
 package com.stubbornjava.common.undertow.handlers;
 
 import com.stubbornjava.undertow.handlers.MiddlewareBuilder;
+import com.stubbornjava.undertow.handlers.ReferrerPolicyHandlers.ReferrerPolicy;
 
 import io.undertow.server.HttpHandler;
 import io.undertow.server.handlers.BlockingHandler;
 
 public class Middleware {
 
     public static HttpHandler common(HttpHandler root) {
-        return MiddlewareBuilder.begin(BlockingHandler::new)
+        return MiddlewareBuilder.begin(handler -> CustomHandlers.securityHeaders(handler, ReferrerPolicy.STRICT_ORIGIN_WHEN_CROSS_ORIGIN))
                                 .next(CustomHandlers::gzip)
+                                .next(BlockingHandler::new)
                                 .next(CustomHandlers::accessLog)
                                 .next(CustomHandlers::statusCodeMetrics)
                                 .complete(root);
 
@@ -0,0 +1,32 @@
+package com.stubbornjava.undertow.handlers;
+
+import io.undertow.server.HttpHandler;
+import io.undertow.server.handlers.SetHeaderHandler;
+
+public class ReferrerPolicyHandlers {
+    private static final String REFERRER_POLICY_STRING = "Referrer-Policy";
+
+    // See https://scotthelme.co.uk/a-new-security-header-referrer-policy/
+    public enum ReferrerPolicy {
+        EMPTY(""),
+        NO_REFERRER("no-referrer"),
+        NO_REFERRER_WHEN_DOWNGRADE("no-referrer-when-downgrade"),
+        SAME_ORIGIN("same-origin"),
+        ORIGIN("origin"),
+        STRICT_ORIGIN("strict-origin"),
+        ORIGIN_WHEN_CROSS_ORIGIN("origin-when-cross-origin"),
+        STRICT_ORIGIN_WHEN_CROSS_ORIGIN("strict-origin-when-cross-origin"),
+        UNSAFE_URL("unsafe-url");
+
+        private final String value;
+        ReferrerPolicy(String value) {
+            this.value = value;
+        }
+        public String getValue() {
+            return value;
+        }
+    };
+    public static HttpHandler policy(HttpHandler next, ReferrerPolicy policy) {
+        return new SetHeaderHandler(next, REFERRER_POLICY_STRING, policy.getValue());
+    }
+}
@@ -0,0 +1,16 @@
+package com.stubbornjava.undertow.handlers;
+
+import io.undertow.server.HttpHandler;
+import io.undertow.server.handlers.SetHeaderHandler;
+import io.undertow.util.Headers;
+
+public class StrictTransportSecurityHandlers {
+
+    public static HttpHandler hsts(HttpHandler next, long maxAge) {
+        return new SetHeaderHandler(next, Headers.STRICT_TRANSPORT_SECURITY_STRING, "max-age=" + maxAge);
+    }
+
+    public static HttpHandler hstsIncludeSubdomains(HttpHandler next, long maxAge) {
+        return new SetHeaderHandler(next, Headers.STRICT_TRANSPORT_SECURITY_STRING, "max-age=" + maxAge + "; includeSubDomains");
+    }
+}
@@ -0,0 +1,12 @@
+package com.stubbornjava.undertow.handlers;
+
+import io.undertow.server.HttpHandler;
+import io.undertow.server.handlers.SetHeaderHandler;
+
+public class XContentTypeOptionsHandler {
+    private static final String X_CONTENT_TYPE_OPTIONS_STRING = "X-Content-Type-Options";
+
+    public static HttpHandler nosniff(HttpHandler next) {
+        return new SetHeaderHandler(next, X_CONTENT_TYPE_OPTIONS_STRING, "nosniff");
+    }
+}
@@ -0,0 +1,34 @@
+package com.stubbornjava.undertow.handlers;
+
+import java.util.function.Function;
+
+import io.undertow.server.HttpHandler;
+import io.undertow.server.HttpServerExchange;
+import io.undertow.server.handlers.SetHeaderHandler;
+import io.undertow.util.HttpString;
+
+public class XFrameOptionsHandlers {
+    private static final String X_FRAME_OPTIONS_STRING = "X-Frame-Options";
+    private static final HttpString X_FRAME_OPTIONS = new HttpString(X_FRAME_OPTIONS_STRING);
+
+    public static HttpHandler deny(HttpHandler next) {
+        return new SetHeaderHandler(next, X_FRAME_OPTIONS_STRING, "DENY");
+    }
+
+    public static HttpHandler sameOrigin(HttpHandler next) {
+        return new SetHeaderHandler(next, X_FRAME_OPTIONS_STRING, "SAMEORIGIN");
+    }
+
+    public static HttpHandler allowFromOrigin(HttpHandler next, String origin) {
+        return new SetHeaderHandler(next, X_FRAME_OPTIONS_STRING, "ALLOW-FROM " + origin);
+    }
+
+    public static HttpHandler allowFromDynamicOrigin(HttpHandler next,
+                                        Function<HttpServerExchange, String> originExtractor) {
+        // Since this is dynamic skip using the SetHeaderHandler
+        return exchange -> {
+            exchange.getResponseHeaders().put(X_FRAME_OPTIONS, originExtractor.apply(exchange));
+            next.handleRequest(exchange);
+        };
+    }
+}
@@ -0,0 +1,20 @@
+package com.stubbornjava.undertow.handlers;
+
+import io.undertow.server.HttpHandler;
+import io.undertow.server.handlers.SetHeaderHandler;
+
+public class XXssProtectionHandlers {
+    private static final String X_XSS_PROTECTION_STRING = "X-Xss-Protection";
+
+    public static HttpHandler disable(HttpHandler next) {
+        return new SetHeaderHandler(next, X_XSS_PROTECTION_STRING, "0");
+    }
+
+    public static HttpHandler enable(HttpHandler next) {
+        return new SetHeaderHandler(next, X_XSS_PROTECTION_STRING, "1");
+    }
+
+    public static HttpHandler enableAndBlock(HttpHandler next) {
+        return new SetHeaderHandler(next, X_XSS_PROTECTION_STRING, "1; mode=block");
+    }
+}
@@ -11,6 +11,7 @@
 import com.stubbornjava.common.undertow.SimpleServer;
 import com.stubbornjava.common.undertow.handlers.CustomHandlers;
 import com.stubbornjava.undertow.handlers.MiddlewareBuilder;
+import com.stubbornjava.undertow.handlers.ReferrerPolicyHandlers.ReferrerPolicy;
 import com.stubbornjava.webapp.guide.GuideRoutes;
 import com.stubbornjava.webapp.post.JavaLibRoutes;
 import com.stubbornjava.webapp.post.PostRoutes;
@@ -30,14 +31,15 @@ private static HttpHandler exceptionHandler(HttpHandler next) {
            .addExceptionHandler(Throwable.class, PageRoutes::error);
     }
 
-    private static HttpHandler wrapWithMiddleware(HttpHandler handler) {
+    private static HttpHandler wrapWithMiddleware(HttpHandler next) {
         return MiddlewareBuilder.begin(PageRoutes::redirector)
-                                .next(BlockingHandler::new)
+                                .next(handler -> CustomHandlers.securityHeaders(handler, ReferrerPolicy.STRICT_ORIGIN_WHEN_CROSS_ORIGIN))
                                 .next(CustomHandlers::gzip)
+                                .next(BlockingHandler::new)
                                 .next(ex -> CustomHandlers.accessLog(ex, logger))
                                 .next(CustomHandlers::statusCodeMetrics)
                                 .next(StubbornJavaWebApp::exceptionHandler)
-                                .complete(handler);
+                                .complete(next);
     }
 
     // These routes do not require any authentication