Header Filter

Header Filter
Previous	Chapter 18. Provided Servlets, Filters, and Handlers Home	Next

Info
Usage

Info

Classname: org.eclipse.jetty.servlets.HeaderFilter
Maven Artifact: org.eclipse.jetty:jetty-servlets
Javadoc: http://www.eclipse.org/jetty/javadoc/9.4.12.v20180830/org/eclipse/jetty/servlets/HeaderFilter.html

Usage

The header filter sets or adds headers to each response based on an optionally included/excluded list of path specs, mime types, and/or HTTP methods. This filter processes its configured headers before calling doFilter in the filter chain. Some of the headers configured in this filter may get overwritten by other filters and/or the servlet processing the request.

Required JARs

To use the Header Filter, these JAR files must be available in WEB-INF/lib:

$JETTY_HOME/lib/jetty-http.jar
$JETTY_HOME/lib/jetty-servlets.jar
$JETTY_HOME/lib/jetty-util.jar

Sample Configuration

Place the configuration in a webapp’s web.xml or jetty-web.xml. This filter will perform the following actions on each response:

Set the X-Frame-Options header to DENY.
Add a Cache-Control header containing no-cache, no-store, must-revalidate
Set the Expires header to approximately one year in the future.
Add a Date header with the current system time.

Note
Each action must be separated by a comma.

<filter>
   <filter-name>HeaderFilter</filter-name>
   <filter-class>org.eclipse.jetty.servlets.HeaderFilter</filter-class>
   <init-param>
     <param-name>headerConfig</param-name>
     <param-value>
      set X-Frame-Options: DENY,
      "add Cache-Control: no-cache, no-store, must-revalidate",
      setDate Expires: 31540000000,
      addDate Date: 0
     </param-value>
   </init-param>
 </filter>

Configuring Header Filter Parameters

The following init parameters control the behavior of the filter:

includedPaths: Optional. Comma separated values of included path specs.
excludedPaths: Optional. Comma separated values of excluded path specs.
includedMimeTypes: Optional. Comma separated values of included mime types. The mime type will be guessed from the extension at the end of the request URL if the content type has not been set on the response.
excludedMimeTypes: Optional. Comma separated values of excluded mime types. The mime type will be guessed from the extension at the end of the request URL if the content type has not been set on the response.
includedHttpMethods: Optional. Comma separated values of included http methods.
excludedHttpMethods: Optional. Comma separated values of excluded http methods.
headerConfig: Comma separated values of actions to perform on headers. The syntax for each action is action headerName: headerValue.

Supported header actions:

set - causes set setHeader to be called on the response
add - causes set addHeader to be called on the response
setDate - causes setDateHeader to be called on the response.
addDate - causes addDateHeader to be called on the response.

If setDate or addDate is used, headerValue should be the number of milliseconds to add to the current system time before writing the header value.

If a property is both included and excluded by the filter configuration, then it will be considered excluded.

Path spec rules:

If the spec starts with ^, the spec is assumed to be a regex based path spec and will match with normal Java regex rules.
If the spec starts with /, the spec is assumed to be a Servlet url-pattern rules path spec for either an exact match or prefix based match.
If the spec starts with *., the spec is assumed to be a Servlet url-pattern rules path spec for a suffix based match.
All other syntaxes are unsupported.

Previous	Top	Next
Denial of Service Filter	Home	Gzip Handler