[jakartaee-platform-dev] Jakarta EE Http Firewall

[Gurunandan Rao <gurunandan.rao@xxxxxxxxxx>]

Hi All,

Please provide  valuable suggestion for adding an Http Firewall as part of Jakarta Http Specification. Details of the proposal are explained in the below mail.

regards,

Guru

---

From: Gurunandan Rao <gurunandan.rao@xxxxxxxxxx>
Sent: 07 February 2025 15:34
To: EE4J Security project <jakarta-security-dev@xxxxxxxxxxx>
Subject: Jakarta EE Http Firewall

 

Hi Team,

Jakarta EE Application should have security against common exploits, various exploits that Jakarta Security can protects against can be grouped as follows:

• Cross Site Request Forgery (CSRF) attack.
• Secure HTTP Response Headers.
• All HTTP-based communication, including static resources, should be protected by using TLS.

Http Firewall is one of the methods by which Jakarta Application can be secured and Whenever possible, the protection should be enabled by default.

Please advice on Http Firewall for Jakarta 12 Applications.

Please note Spring provides Http Firewall with following protection:

1) Spring security CSRF protection: https://docs.spring.io/spring-security/reference/features/exploits/csrf.html

2) Spring security HTTP Response Headers:  https://docs.spring.io/spring-security/reference/features/exploits/headers.html

3) Spring Security HTTP protection: https://docs.spring.io/spring-security/reference/features/exploits/http.html

HTTP :: Spring Security

As a framework, Spring Security does not handle HTTP connections and thus does not provide support for HTTPS directly. However, it does provide a number of features that help with HTTPS usage.

docs.spring.io