Package com.helger.servlet.response

Class UnifiedResponseDefaultSettings

  • @ThreadSafe
public final class UnifiedResponseDefaultSettings
extends Object
    This class encapsulates default settings to be applied to all UnifiedResponse objects.
    Since:
    6.0.5
    Author:
    Philip Helger

    • Field Detail

      • DEFAULT_HTTP_HEADER_VALUES_UNIFIED

        public static final boolean DEFAULT_HTTP_HEADER_VALUES_UNIFIED
        By default HTTP header value unification is enabled
        See Also:
        Constant Field Values

      • DEFAULT_HTTP_HEADER_VALUES_QUOTE_IF_NECESSARY

        public static final boolean DEFAULT_HTTP_HEADER_VALUES_QUOTE_IF_NECESSARY
        By default HTTP header value unification is disabled
        See Also:
        Constant Field Values

    • Method Detail

      • getResponseHeaderMap

        @Nonnull
@ReturnsMutableCopy
public static com.helger.commons.http.HttpHeaderMap getResponseHeaderMap()
        Returns:
        The non-null header map.

      • setAllowMimeSniffing

        public static void setAllowMimeSniffing​(boolean bAllow)
        When specifying false, this method uses a special response header to prevent certain browsers from MIME-sniffing a response away from the declared content-type. When passing true, that header is removed.
        Parameters:
        bAllow - Whether or not sniffing should be allowed (default is true).

      • setEnableXSSFilter

        public static void setEnableXSSFilter​(boolean bEnable)
        This header enables the Cross-site scripting (XSS) filter built into most recent web browsers. It's usually enabled by default anyway, so the role of this header is to re-enable the filter for this particular website if it was disabled by the user. This header is supported in IE 8+, and in Chrome (not sure which versions). The anti-XSS filter was added in Chrome 4. Its unknown if that version honored this header.
        Parameters:
        bEnable - true to enable the header, false to disable it.

      • setStrictTransportSecurity

        public static void setStrictTransportSecurity​(@Nonnegative
                                              int nMaxAgeSeconds,
                                              boolean bIncludeSubdomains)
        HTTP Strict Transport Security (HSTS) is an opt-in security enhancement that is specified by a web application through the use of a special response header. Once a supported browser receives this header that browser will prevent any communications from being sent over HTTP to the specified domain and will instead send all communications over HTTPS. It also prevents HTTPS click through prompts on browsers. The specification has been released and published end of 2012 as RFC 6797 (HTTP Strict Transport Security (HSTS)) by the IETF.
        Parameters:
        nMaxAgeSeconds - number of seconds, after the reception of the STS header field, during which the UA regards the host (from whom the message was received) as a Known HSTS Host.
        bIncludeSubdomains - if enabled, this signals the UA that the HSTS Policy applies to this HSTS Host as well as any sub-domains of the host's domain name.

      • removeStrictTransportSecurity

        public static void removeStrictTransportSecurity()
        Remove the `Strict-Transport-Security` headers from the default settings.
        Since:
        9.1.1

      • setXFrameOptions

        public static void setXFrameOptions​(@Nullable
                                    EXFrameOptionType eType,
                                    @Nullable
                                    com.helger.commons.url.ISimpleURL aDomain)
        The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe> or <object> . Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites. Example: 
         X-Frame-Options: DENY
 X-Frame-Options: SAMEORIGIN
 X-Frame-Options: ALLOW-FROM https://example.com/
        Parameters:
        eType - The X-Frame-Options type to be set. May not be null.
        aDomain - The domain URL to be used in "ALLOW-FROM". May be null for the other cases.

      • setReferrerPolicy

        public static void setReferrerPolicy​(@Nullable
                                     com.helger.http.EHttpReferrerPolicy eReferrerPolicy)
        Set the default referrer policy to use. See https://scotthelme.co.uk/a-new-security-header-referrer-policy/
        Parameters:
        eReferrerPolicy - Policy to use. May be null.

      • setResponseHeader

        public static void setResponseHeader​(@Nonnull @Nonempty
                                     String sName,
                                     @Nonnull @Nonempty
                                     String sValue)
        Sets a response header to the response according to the passed name and value. An existing header entry with the same name is overridden.
        Parameters:
        sName - Name of the header. May neither be null nor empty.
        sValue - Value of the header. May neither be null nor empty.

      • addResponseHeader

        public static void addResponseHeader​(@Nonnull @Nonempty
                                     String sName,
                                     @Nonnull @Nonempty
                                     String sValue)
        Adds a response header to the response according to the passed name and value. If an existing header with the same is present, the value is added to the list so that the header is emitted more than once.
        Parameters:
        sName - Name of the header. May neither be null nor empty.
        sValue - Value of the header. May neither be null nor empty.

      • removeResponseHeaders

        @Nonnull
public static com.helger.commons.state.EChange removeResponseHeaders​(@Nonnull @Nonempty
                                                                     String sName)
        Removes the response headers matching the passed name from the response.
        ATTENTION: You should only use the APIs that UnifiedResponseDefaultSettings directly offers. Use this method only in emergency and make sure you validate the header field and allowed value!
        Parameters:
        sName - Name of the header to be removed. May neither be null nor empty.
        Returns:
        EChange.CHANGED in header was removed.

      • removeAllResponseHeaders

        @Nonnull
public static com.helger.commons.state.EChange removeAllResponseHeaders()
        Remove all response headers currently present.
        Returns:
        EChange

      • hasCookies

        public static boolean hasCookies()
        Returns:
        true if at least one cookie is present.

      • getAllCookies

        @Nonnull
@ReturnsMutableCopy
public static com.helger.commons.collection.impl.ICommonsOrderedMap<String,​jakarta.servlet.http.Cookie> getAllCookies()
        Returns:
        A copy of all contained cookies. Never null but maybe empty.

      • addCookie

        public static void addCookie​(@Nonnull
                             jakarta.servlet.http.Cookie aCookie)
        Add the passed cookie.
        Parameters:
        aCookie - The cookie to be added. May not be null.

      • removeCookie

        @Nonnull
public static com.helger.commons.state.EChange removeCookie​(@Nullable
                                                            String sName)
        Remove the cookie with the specified name.
        Parameters:
        sName - The name of the cookie to be removed. May be null.
        Returns:
        EChange

      • removeAllCookies

        @Nonnull
public static com.helger.commons.state.EChange removeAllCookies()
        Remove all cookies.
        Returns:
        EChange.CHANGED if at least one cookie was removed.

      • isHttpHeaderValuesUnified

        public static boolean isHttpHeaderValuesUnified()
        Returns:
        true if HTTP header values will be unified, false if not.
        Since:
        9.1.4
        See Also:
        DEFAULT_HTTP_HEADER_VALUES_UNIFIED

      • setHttpHeaderValuesUnified

        public static void setHttpHeaderValuesUnified​(boolean bHttpHeaderValuesUnified)
        Enable or disable the unification of HTTP header values.
        Parameters:
        bHttpHeaderValuesUnified - true to enable it, false to disable it.
        Since:
        9.1.4

      • isHttpHeaderValuesQuoteIfNecessary

        public static boolean isHttpHeaderValuesQuoteIfNecessary()
        Returns:
        true if HTTP header values will be unified and quoted if necessary, false if not.
        Since:
        9.1.4
        See Also:
        DEFAULT_HTTP_HEADER_VALUES_QUOTE_IF_NECESSARY

      • setHttpHeaderValuesQuoteIfNecessary

        public static void setHttpHeaderValuesQuoteIfNecessary​(boolean bHttpHeaderValuesQuoteIfNecessary)
        Enable or disable the automatic quoting of HTTP header values. This only takes effect, if the unification is enabled.
        Parameters:
        bHttpHeaderValuesQuoteIfNecessary - true to enable it, false to disable it.
        Since:
        9.1.4
        See Also:
        setHttpHeaderValuesUnified(boolean)