[UI] Prevent UI from XSS

[validation.git] / ui / src / main / webapp / WEB-INF / web.xml

diff --git a/ui/src/main/webapp/WEB-INF/web.xml b/ui/src/main/webapp/WEB-INF/web.xml
index 92a2d59..e65accc 100644 (file)
--- a/ui/src/main/webapp/WEB-INF/web.xml
+++ b/ui/src/main/webapp/WEB-INF/web.xml
@@ -12,7 +12,7 @@
     xmlns:web="http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
     version="3.1" xmlns="http://xmlns.jcp.org/xml/ns/javaee">
 
-    <display-name>AECBlueprintValidationUI</display-name>
+    <display-name>bluvalui</display-name>
 
     <!-- The app can function on a HA cluster -->
     <distributable />
@@ -20,6 +20,10 @@
     <session-config>
         <session-timeout>30</session-timeout>
         <tracking-mode>COOKIE</tracking-mode>
+        <cookie-config>
+            <http-only>true</http-only>
+            <secure>true</secure>
+        </cookie-config>
     </session-config>
     <filter>
         <filter-name>SecurityXssFilter</filter-name>
@@ -45,4 +49,26 @@
         <location>/WEB-INF/jsp/error.jsp</location>
     </error-page>
 
+     <!-- Require HTTPS for everything except /img (favicon) and /css. -->
+    <security-constraint>
+        <web-resource-collection>
+            <web-resource-name>HTTPSOnly</web-resource-name>
+            <url-pattern>/*</url-pattern>
+        </web-resource-collection>
+        <user-data-constraint>
+            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
+        </user-data-constraint>
+    </security-constraint>
+    <security-constraint>
+        <web-resource-collection>
+            <web-resource-name>HTTPSOrHTTP</web-resource-name>
+            <url-pattern>*.ico</url-pattern>
+            <url-pattern>/img/*</url-pattern>
+            <url-pattern>/css/*</url-pattern>
+        </web-resource-collection>
+        <user-data-constraint>
+            <transport-guarantee>NONE</transport-guarantee>
+        </user-data-constraint>
+    </security-constraint>
+
 </web-app>
\ No newline at end of file