{"id":18250523,"url":"https://github.com/dropwizard/dropwizard-web","last_synced_at":"2025-04-04T16:31:28.111Z","repository":{"id":35388995,"uuid":"185870813","full_name":"dropwizard/dropwizard-web","owner":"dropwizard","description":"Provides support for configuring various http headers that are important for web services.","archived":false,"fork":false,"pushed_at":"2024-10-28T01:18:30.000Z","size":496,"stargazers_count":14,"open_issues_count":2,"forks_count":4,"subscribers_count":7,"default_branch":"release/4.0.x","last_synced_at":"2024-10-28T05:16:07.844Z","etag":null,"topics":["cors","csp","dropwizard","hacktoberfest","headers","hsts","java","xss"],"latest_commit_sha":null,"homepage":"","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/dropwizard.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-05-09T20:58:41.000Z","updated_at":"2024-10-28T01:18:33.000Z","dependencies_parsed_at":"2023-10-05T06:15:38.516Z","dependency_job_id":"d35b3735-42f6-4636-a0a3-468d38fcf059","html_url":"https://github.com/dropwizard/dropwizard-web","commit_stats":{"total_commits":269,"total_committers":7,"mean_commits":38.42857142857143,"dds":0.5204460966542751,"last_synced_commit":"6724dc9d6a7935c477a8384ad0752519cb616ae3"},"previous_names":[],"tags_count":15,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dropwizard%2Fdropwizard-web","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dropwizard%2Fdropwizard-web/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dropwizard%2Fdropwizard-web/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dropwizard%2Fdropwizard-web/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/dropwizard","download_url":"https://codeload.github.com/dropwizard/dropwizard-web/tar.gz/refs/heads/release/4.0.x","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":223149946,"owners_count":17095954,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cors","csp","dropwizard","hacktoberfest","headers","hsts","java","xss"],"created_at":"2024-11-05T09:45:00.870Z","updated_at":"2024-11-05T09:45:01.625Z","avatar_url":"https://github.com/dropwizard.png","language":"Java","readme":"# dropwizard-web\n[![Build Status](https://github.com/dropwizard/dropwizard-web/actions/workflows/build.yml/badge.svg)](https://github.com/dropwizard/dropwizard-web/actions)\n[![Coverage](https://sonarcloud.io/api/project_badges/measure?project=dropwizard_dropwizard-web\u0026metric=coverage)](https://sonarcloud.io/summary/new_code?id=dropwizard_dropwizard-web)\n[![Maven Central](https://img.shields.io/maven-central/v/io.dropwizard.modules/dropwizard-web.svg)](http://mvnrepository.com/artifact/io.dropwizard.modules/dropwizard-web)\n\nProvides support for configuring various http headers that are important for web services.\n\n## Supports\n- HTTP Strict Transport Security (HSTS)\n- X-Frame-Options\n- X-Content-Type-Options\n- X-XSS-Protection (XSS)\n- Content Security Policy (CSP)\n- Cross-Origin Resource Sharing (CORS)\n- other custom headers\n\n## Dropwizard Version Support Matrix\n| dropwizard-web | Dropwizard v1.3.x | Dropwizard v2.0.x | Dropwizard v2.1.x | Dropwizard v3.0.x | Dropwizard v4.0.x |\n|----------------|--------------------|--------------------|--------------------|--------------------|--------------------|\n| v1.3.x | :white_check_mark: | :white_check_mark: | :question: | :x: | :x: |\n| v1.4.x | :white_check_mark: | :white_check_mark: | :question: | :x: | :x: |\n| v1.5.x | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: |\n| v2.0.x | :x: | :x: | :x: | :white_check_mark: | :question: |\n| v3.0.x | :x: | :x: | :x: | :white_check_mark: | :white_check_mark: |\n\n## Usage\nIn your application's `Configuration` class, add a `WebConfiguration` object:\n```java\npublic class ExampleConfiguration extends Configuration {\n ...\n\n @Valid\n @NotNull\n @JsonProperty(\"web\")\n private WebConfiguration webConfiguration = new WebConfiguration();\n\n public WebConfiguration getWebConfiguration() {\n return webConfiguration;\n }\n\n public void setWebConfiguration(final WebConfiguration webConfiguration) {\n this.webConfiguration = webConfiguration;\n }\n}\n```\n\nAdd a `WebBundle` to the `Boostrap` object in your `initialize` method:\n```java\nbootstrap.addBundle(new WebBundle\u003c\u003e() {\n @Override\n public WebConfiguration getWebConfiguration(final ExampleConfiguration configuration) {\n return configuration.getWebConfiguration();\n }\n\n // Optional: Override Servlet environment to apply the configuration to the admin servlets\n @Override\n protected ServletEnvironment getServletEnvironment(Environment environment) {\n return environment.admin();\n }\n});\n```\n\n## Basic Configuration\nDefine the following configuration in your `config.yml` file:\n```yaml\nweb:\n uriPath: /api\n hsts:\n enabled: true\n frame-options:\n enabled: true\n content-type-options:\n enabled: true\n xss-protection:\n enabled: true\n```\n`uriPath` should indicate the path where APIs are served from.\n\nThis minimal config results in the following:\n- HSTS configured for 1 year, including sub domains\n- Frames disabled\n- Content-Type sniffing disabled\n- XSS filtering on in `block` mode\n\nSupport for CORS or CSP require additional configuration.\n\n## Maven Artifacts\nThis project is available on Maven Central. To add it to your project simply add the following dependencies to your\n`pom.xml`:\n```xml\n\u003cdependency\u003e\n \u003cgroupId\u003eio.dropwizard.modules\u003c/groupId\u003e\n \u003cartifactId\u003edropwizard-web\u003c/artifactId\u003e\n \u003cversion\u003e${dropwizard-web.version}\u003c/version\u003e\n\u003c/dependency\u003e\n```\n\n## Configuration Reference\n### Web Configuration\nName | Default | Description\n---- | ------- | -----------\nhsts | (1 year, including sub domains) | Configure Strict-Transport-Security.\nframe-options | (disable frames) | Configure X-Frame-Options.\ncontent-type-options | (disable content-type sniffing) | Configure X-Content-Type-Options.\nxss-protection | (on in block mode) | Configure X-XSS-Protection.\ncsp | (none) | Configure Content Security Policy.\ncors | (none) | Configure Cross-Origin Resource Sharing.\nheaders | (none) | Configure custom headers.\n\n### HTTP Strict Transport Security (HSTS)\nhttps://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security\n\n```yaml\nweb:\n hsts:\n enabled: true\n maxAge: 365 days\n includeSubDomains: true\n```\n\nName | Default | Description\n---- | ------- | -----------\nmaxAge | 365 days | The time that the browser should remember that a site is only to be accessed using HTTPS.\nincludeSubDomains | true | If `true`, this rule applies to all of the site's subdomains as well.\npreload | false | See [Preloading Strict Transport Security](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security#Preloading_Strict_Transport_Security) for details.\nenabled | false | If false, does not apply header(s).\n\n### X-Frame-Options\nhttps://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options\n\n```yaml\nweb:\n frame-options:\n enabled: true\n option: SAMEORIGIN\n```\n\nName | Default | Description\n---- | ------- | -----------\noption | DENY | Must be one of: DENY, SAMEORIGIN, ALLOW-FROM\norigin | (none) | If option is ALLOW-FROM, identifies the origin that will be allowed to display this page in a frame.\nenabled | false | If false, does not apply header(s).\n\n### X-Content-Type-Options\nhttps://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options\n\n```yaml\nweb:\n content-type-options:\n enabled: true\n```\n\nName | Default | Description\n---- | ------- | -----------\nenabled | false | If false, does not apply header(s).\n\n### X-XSS-Protection (XSS)\nhttps://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection\n\n```yaml\nweb:\n xss-protection:\n enabled: true\n on: true\n block: true\n```\n\nName | Default | Description\n---- | ------- | -----------\non | true | If true, enables XSS filtering.\nblock | true | If true, when browser detects an attack, the page will not be rendered. If false, the browser will sanitize the page to remove the unsafe parts.\nenabled | false | If false, does not apply header(s).\n\n\n### Content Security Policy (CSP)\n- https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP\n- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy\n- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only\n\n```yaml\nweb:\n csp:\n enabled: true\n policy: \"default-src 'self'\"\n```\n\nName | Default | Description\n---- | ------- | -----------\npolicy | (none) | Policy directives that control resources the browser is allowed to load for a page.\nreportOnlyPolicy | (none) | Same as 'policy' but only reports violations instead of preventing them.\nenabled | false | If false, does not apply header(s).\n\n\n### Cross-Origin Resource Sharing (CORS)\n- https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS\n- https://www.eclipse.org/jetty/documentation/9.4.x/cross-origin-filter.html\n\n```yaml\nweb:\n cors:\n allowedOrigins: [\"example.com\"]\n allowedMethods: [\"DELETE\",\"GET\",\"HEAD\",\"POST\",\"PUT\"]\n allowedHeaders: [\"Accept\",\"Authorization\",\"Content-Type\",\"Origin\",\"X-Requested-With\"]\n preflightMaxAge: 30 minutes\n```\n\nName | Default | Description\n---- | ------- | -----------\nallowedOrigins | (all origins) | A list of origins that are allowed to access the resources.\nallowedTimingOrigins | (no origins) | A list of origins that are allowed to time the resources.\nallowedMethods | [\"GET\",\"POST\",\"HEAD\"] | A list of HTTP methods that are allowed to be used when accessing the resources.\npreflightMaxAge | 30 minutes | The duration that preflight requests can be cached by the client.\nallowCredentials | true | A boolean indicating if the resource allows requests with credentials.\nexposedHeaders | (empty list) | A list of HTTP headers that are allowed to be exposed on the client.\nchainPreflight | true | If true, preflight requests are chained to their target resource for normal handling (as an OPTION request). Else, the filter will respond to the preflight.\n\n### Other Headers\n```yaml\nweb:\n headers:\n X-Custom-Header-1: custom value 1\n X-Custom-Header-2: custom value 2\n```\n\nName | Default | Description\n---- | ------- | -----------\nheaders | (none) | Map of headers (name and value) to include in the response.\n\n## Support\nPlease file bug reports and feature requests in [GitHub issues](https://github.com/dropwizard/dropwizard-web/issues).\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdropwizard%2Fdropwizard-web","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdropwizard%2Fdropwizard-web","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdropwizard%2Fdropwizard-web/lists"}