Package com.oorian.security

Class SecurityHeaders

java.lang.Object
com.oorian.security.SecurityHeaders
public class SecurityHeaders extends Object
Fluent builder for configuring HTTP security response headers.

SecurityHeaders provides a centralized way to configure standard security headers that are applied to every HTTP response. This complements ContentSecurityPolicy and CacheControl by covering the remaining OWASP-recommended headers.

Usage:


 // In Application.initialize():
 setSecurityHeaders(SecurityHeaders.production());

 // Or customize:
 setSecurityHeaders(new SecurityHeaders()
     .frameOptions(FrameOption.SAMEORIGIN)
     .hstsMaxAge(31536000)
     .referrerPolicy(ReferrerPolicy.STRICT_ORIGIN_WHEN_CROSS_ORIGIN)
     .permissionsPolicy("camera=(), microphone=(), geolocation=()"));
Since:
2.1
Version:
1.0
Author:
Marvin P. Warble Jr.
See Also:

  • Constructor Details

    • SecurityHeaders

      public SecurityHeaders()
      Creates an empty SecurityHeaders configuration.

  • Method Details

    • production

      public static SecurityHeaders production()
      Creates a production-ready configuration with secure defaults.

      Includes:

      • X-Content-Type-Options: nosniff
      • X-Frame-Options: DENY
      • Referrer-Policy: strict-origin-when-cross-origin
      • Permissions-Policy: camera=(), microphone=(), geolocation=()
      • Cross-Origin-Opener-Policy: same-origin
      • Cross-Origin-Resource-Policy: same-origin
      Returns:
      a SecurityHeaders instance with production defaults

    • getInstance

      public static SecurityHeaders getInstance()
      Returns the global SecurityHeaders instance.
      Returns:
      the instance, or null if not configured

    • contentTypeOptions

      public SecurityHeaders contentTypeOptions()
      Adds the X-Content-Type-Options: nosniff header.

      Prevents browsers from MIME-sniffing the content type, which can prevent XSS attacks via content-type confusion.

      Returns:
      this instance for chaining

    • frameOptions

      public SecurityHeaders frameOptions(SecurityHeaders.FrameOption option)
      Sets the X-Frame-Options header.

      Controls whether the page can be loaded in frames, preventing clickjacking.

      Parameters:
      option - the frame option (DENY or SAMEORIGIN)
      Returns:
      this instance for chaining

    • hstsMaxAge

      public SecurityHeaders hstsMaxAge(long maxAgeSeconds)
      Sets the Strict-Transport-Security header (HSTS).

      Instructs browsers to only access the site via HTTPS for the specified duration. This should only be enabled when the site is served over HTTPS.

      Parameters:
      maxAgeSeconds - the time in seconds that the browser should remember to use HTTPS
      Returns:
      this instance for chaining

    • hstsMaxAge

      public SecurityHeaders hstsMaxAge(long maxAgeSeconds, boolean includeSubDomains)
      Sets the Strict-Transport-Security header with includeSubDomains.
      Parameters:
      maxAgeSeconds - the HSTS max-age in seconds
      includeSubDomains - whether to apply HSTS to all subdomains
      Returns:
      this instance for chaining

    • referrerPolicy

      public SecurityHeaders referrerPolicy(SecurityHeaders.ReferrerPolicy policy)
      Sets the Referrer-Policy header.

      Controls how much referrer information is sent with requests. This helps prevent leaking sensitive URL parameters to third-party sites.

      Parameters:
      policy - the referrer policy
      Returns:
      this instance for chaining

    • permissionsPolicy

      public SecurityHeaders permissionsPolicy(String policy)
      Sets the Permissions-Policy header.

      Restricts which browser features (camera, microphone, geolocation, etc.) the page may use. Features set to () are disabled entirely.

      Parameters:
      policy - the permissions policy string
      Returns:
      this instance for chaining

    • crossOriginOpenerPolicy

      public SecurityHeaders crossOriginOpenerPolicy(String policy)
      Sets the Cross-Origin-Opener-Policy header.

      Controls whether the page can interact with cross-origin windows. A value of "same-origin" isolates the browsing context group.

      Parameters:
      policy - the COOP value (e.g., "same-origin", "same-origin-allow-popups")
      Returns:
      this instance for chaining

    • crossOriginResourcePolicy

      public SecurityHeaders crossOriginResourcePolicy(String policy)
      Sets the Cross-Origin-Resource-Policy header.

      Controls which origins can load this resource. A value of "same-origin" restricts to same-origin only.

      Parameters:
      policy - the CORP value (e.g., "same-origin", "same-site", "cross-origin")
      Returns:
      this instance for chaining

    • header

      public SecurityHeaders header(String name, String value)
      Sets a custom security header.
      Parameters:
      name - the header name
      value - the header value
      Returns:
      this instance for chaining

    • apply

      public void apply(OorianHttpResponse response)
      Applies all configured security headers to the given HTTP response.
      Parameters:
      response - the HTTP response to add headers to