Skip to content

fix: ensure that the behaviour is safe within the UI by introducing headers#4801

Open
iansergeant42 wants to merge 6 commits into
v3.x.xfrom
reboot/safe-behaviour-using-headers
Open

fix: ensure that the behaviour is safe within the UI by introducing headers#4801
iansergeant42 wants to merge 6 commits into
v3.x.xfrom
reboot/safe-behaviour-using-headers

Conversation

@iansergeant42

@iansergeant42 iansergeant42 commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

Description

Headers X-Frame-Options and X-Content-Type-Options. This change introduces them.

Linked to # (issue)
Part of the # (epic)

Type of change

Please delete options that are not relevant.

  • fix: Bug fix (non-breaking change which fixes an issue)

Checklist:

  • My code follows the style guidelines of this project
  • PR title conforms to commit message guideline ## Commit Message Structure Guideline
  • I have commented my code, particularly in hard-to-understand areas. In JS I did provide JSDoc
  • I have made corresponding changes to the documentation
  • My changes generate no new warnings
  • I have added tests that prove my fix is effective or that my feature works
  • New and existing unit tests pass locally with my changes
  • The java tests in the area I was working on leverage @nested annotations
  • Any dependent changes have been merged and published in downstream modules

For more details about how should the code look like read the Contributing guideline

Signed-off-by: Ian Sergeant <ian.sergeant@broadcom.com>
Signed-off-by: Ian Sergeant <ian.sergeant@broadcom.com>
Signed-off-by: Ian Sergeant <ian.sergeant@broadcom.com>
@iansergeant42 iansergeant42 changed the title Reboot/safe behaviour using headers fix: ensure that the behaviour is safe within the UI by introducing headers Jul 10, 2026
Signed-off-by: Ian Sergeant <ian.sergeant@broadcom.com>
Signed-off-by: Ian Sergeant <ian.sergeant@broadcom.com>
@sonarqubecloud

Copy link
Copy Markdown

@iansergeant42 iansergeant42 marked this pull request as ready for review July 10, 2026 13:50
@richard-salac

Copy link
Copy Markdown
Contributor

Testing on locally running modulith against catalog home page. The X-Frame-Options header is not returned:

curl -k -v https://localhost:10010/apicatalog/ui/v1/index.html#/login 
...> GET /apicatalog/ui/v1/index.html HTTP/1.1
> Host: localhost:10010
> User-Agent: curl/8.7.1
> Accept: */*
> 
* Request completely sent off
< HTTP/1.1 200 
< Vary: Origin
< Vary: Access-Control-Request-Method
< Vary: Access-Control-Request-Headers
< Last-Modified: Fri, 10 Jul 2026 14:12:37 GMT
< Cache-Control: no-store, must-revalidate, private
< Accept-Ranges: bytes
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 0
< Referrer-Policy: no-referrer
< Strict-Transport-Security: max-age=31536000; includeSubDomains
< Content-Type: text/html
< Content-Length: 1028
< Date: Fri, 10 Jul 2026 14:36:21 GMT
< 
<!DOCTYPE html>
...

import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.when;

class SecurityHeadersGlobalFilterTest {

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For filters it is better to have an acceptance test as filters may interact and the result may not be always as expected.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

Development

Successfully merging this pull request may close these issues.

3 participants