-
Notifications
You must be signed in to change notification settings - Fork 59
/
Copy pathsecurity.jspf
61 lines (51 loc) · 2.35 KB
/
security.jspf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
<%--
@(#)security.jsp 0.01 03/01/2021
Copyright (C) 2011 - 2021 MER-C
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU Affero General Public License as
published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU Affero General Public License for more details.
You should have received a copy of the GNU Affero General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
--%>
<%@ page import="java.io.*" %>
<%@ page import="java.net.*" %>
<%@ page import="java.nio.charset.StandardCharsets" %>
<%@ page import="java.util.*" %>
<%@ page import="java.util.stream.*" %>
<%@ page import="java.time.*" %>
<%@ page import="java.time.format.*" %>
<%@ page import="java.time.temporal.*" %>
<%@ page import="org.wikipedia.*" %>
<%@ page import="org.wikipedia.servlets.*" %>
<%@ page import="org.wikipedia.tools.*" %>
<%@ page trimDirectiveWhitespaces="true"%>
<%
// Disallow bad robots
String useragent = request.getHeader("User-Agent");
if (useragent.contains("Tweetmeme") || useragent.contains("Apache-HttpClient") ||
useragent.contains("bing.com") || useragent.contains("Wget") ||
useragent.contains("archive.org") || useragent.contains("Amazonbot"))
{
response.setStatus(403);
return;
}
// stuff here is only here because it gets executed first
WMFWikiFarm sessions = WMFWikiFarm.instance();
sessions.setInitializer(wiki_ -> wiki_.setMaxLag(-1));
response.setCharacterEncoding("UTF-8");
// Set security headers
// Enable HSTS (force HTTPS)
response.setHeader("Strict-Transport-Security", "max-age=31536000");
response.setHeader("Content-Security-Policy",
"frame-ancestors 'none'; " + // disable framing
"default-src 'none'; " + // disable everything by default
"script-src 'self'; " + // allow only scripts from this domain
"style-src 'self'"); // allow only stylesheets from this domain
// disable the Referer header
response.setHeader("Referrer-Policy", "no-referrer");
%>