From f7ecb4599137c13aa23f72eff173423de8e5f1c5 Mon Sep 17 00:00:00 2001
From: Nithin Nambiar <nithin.nambiar@alfresco.com>
Date: Thu, 4 Mar 2021 15:21:35 +0000
Subject: [PATCH] MNT-22184 Add security header for admin console (#323)

---
 .../alfresco/web-client-security-config.xml          | 12 +++++++++++-
 packaging/war/src/main/webapp/WEB-INF/web.xml        | 11 +++++++++++
 2 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/packaging/war/src/main/resources/alfresco/web-client-security-config.xml b/packaging/war/src/main/resources/alfresco/web-client-security-config.xml
index 87f6dd1a7c..0d5362bd14 100644
--- a/packaging/war/src/main/resources/alfresco/web-client-security-config.xml
+++ b/packaging/war/src/main/resources/alfresco/web-client-security-config.xml
@@ -184,5 +184,15 @@
       </filter>
 
    </config>
-
+   <!--
+         A set of HTTP response headers that instructs the browser to behave in certain ways to improve security
+    -->
+   <config evaluator="string-compare" condition="SecurityHeadersPolicy">
+      <headers>
+         <header>
+            <name>X-Frame-Options</name>
+            <value>SAMEORIGIN</value>
+         </header>
+      </headers>
+   </config>
 </alfresco-config>
\ No newline at end of file
diff --git a/packaging/war/src/main/webapp/WEB-INF/web.xml b/packaging/war/src/main/webapp/WEB-INF/web.xml
index 9c102703d9..97af943fd3 100644
--- a/packaging/war/src/main/webapp/WEB-INF/web.xml
+++ b/packaging/war/src/main/webapp/WEB-INF/web.xml
@@ -104,6 +104,12 @@
       <filter-class>org.springframework.extensions.webscripts.servlet.CSRFFilter</filter-class>
    </filter>
 
+   <filter>
+      <description>Security Headers filter. Adds security response headers based on config.</description>
+      <filter-name>Security Headers Filter</filter-name>
+      <filter-class>org.springframework.extensions.webscripts.servlet.SecurityHeadersFilter</filter-class>
+   </filter>
+
    <!-- Enterprise filter placeholder -->
    <filter-mapping>
       <filter-name>Clear security context filter</filter-name>
@@ -225,6 +231,11 @@
       <url-pattern>/wcs/admin/*</url-pattern>
    </filter-mapping>
 
+   <filter-mapping>
+      <filter-name>Security Headers Filter</filter-name>
+      <url-pattern>/*</url-pattern>
+   </filter-mapping>
+
    <!-- Enterprise filter-mapping placeholder -->
    
    <!-- Spring Context Loader listener - can disable loading of context if runtime config changes are needed -->