001/* 002 * Copyright 2017-2018 John Yeary <jyeary@bluelotussoftware.com>. 003 * 004 * Licensed under the Apache License, Version 2.0 (the "License"); 005 * you may not use this file except in compliance with the License. 006 * You may obtain a copy of the License at 007 * 008 * http://www.apache.org/licenses/LICENSE-2.0 009 * 010 * Unless required by applicable law or agreed to in writing, software 011 * distributed under the License is distributed on an "AS IS" BASIS, 012 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 013 * See the License for the specific language governing permissions and 014 * limitations under the License. 015 */ 016package com.bluelotussoftware.tomcat.security.valves; 017 018import java.io.IOException; 019import javax.servlet.ServletException; 020import org.apache.catalina.Valve; 021import org.apache.catalina.connector.Request; 022import org.apache.catalina.connector.Response; 023import org.apache.catalina.valves.ValveBase; 024 025/** 026 * <p> 027 * This {@link Valve} is designed to add an 028 * {@literal X-XSS-Protection : 1; mode=block} header to the {@link Response} 029 * object.</p> 030 * <p> 031 * This is configured in the {@literal context.xml}, or {@literal server.xml} 032 * file using the following syntax:</p> 033 * <pre> 034 * <valve> 035 * <class-name>com.bluelotussoftware.tomcat.security.valves.XSSProtectionValve</class-name> 036 * </valve> 037 * </pre> 038 * 039 * @author John Yeary 040 * @version 1.0.0 041 */ 042public class XSSProtectionValve extends ValveBase { 043 044 /** 045 * {@inheritDoc} 046 * <p> 047 * Adds {@literal X-XSS-Protection : 1; mode=block} header to the 048 * {@link Response} object.</p> 049 */ 050 @Override 051 public void invoke(Request request, Response response) throws IOException, ServletException { 052 response.addHeader("X-XSS-Protection", "1; mode=block"); 053 getNext().invoke(request, response); 054 } 055 056}