[COMP-1143]Missing HTTP Security Header (#955)

Signed-off-by: munishchouhan <hrma017@gmail.com>
Co-authored-by: Paolo Di Tommaso <paolo.ditommaso@gmail.com>
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

Author: 3 people

src/main/groovy/io/seqera/wave/configuration/SecurityHeadersConfig.groovy

@@ -0,0 +1,120 @@
+/*
+ *  Wave, containers provisioning service
+ *  Copyright (c) 2023-2024, Seqera Labs
+ *
+ *  This program is free software: you can redistribute it and/or modify
+ *  it under the terms of the GNU Affero General Public License as published by
+ *  the Free Software Foundation, either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU Affero General Public License for more details.
+ *
+ *  You should have received a copy of the GNU Affero General Public License
+ *  along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+package io.seqera.wave.configuration
+
+import javax.annotation.Nullable
+import javax.annotation.PostConstruct
+
+import groovy.transform.CompileStatic
+import groovy.transform.ToString
+import groovy.util.logging.Slf4j
+import io.micronaut.context.annotation.Requires
+import io.micronaut.context.annotation.Value
+import jakarta.inject.Singleton
+
+/**
+ * Configuration for HTTP security headers
+ *
+ * @author Munish Chouhan <munish.chouhan@seqera.io>
+ */
+@ToString(includeNames = true, includePackage = false)
+@CompileStatic
+@Slf4j
+@Singleton
+@Requires(property = 'wave.security.http-headers.enabled', value = 'true', defaultValue = 'true')
+class SecurityHeadersConfig {
+
+    /**
+     * Enable or disable security headers globally
+     */
+    @Value('${wave.security.http-headers.enabled:true}')
+    Boolean enabled
+
+    /**
+     * HSTS max-age in seconds
+     * default to 1 year (31536000 seconds)
+     * This tell browsers to only use HTTPS for one year (31,536,000 seconds) or custom value set by user,
+     * preventing downgrade attacks and improving security by ensuring encrypted connections by default,
+     * for more information check https://hstspreload.org/#submission-requirements
+     */
+    @Value('${wave.security.http-headers.hsts.max-age:31536000}')
+    Long hstsMaxAge
+
+    /**
+     * Include subdomains in HSTS
+     */
+    @Value('${wave.security.http-headers.hsts.include-sub-domains:true}')
+    Boolean hstsIncludeSubDomains
+
+    /**
+     * X-Frame-Options header value (default: `DENY`)
+     */
+    @Nullable
+    @Value('${wave.security.http-headers.frame-options}')
+    String frameOptions
+
+    /**
+     * X-Content-Type-Options header value
+     */
+    @Nullable
+    @Value('${wave.security.http-headers.content-type-options}')
+    String contentTypeOptions
+
+    /**
+     * Referrer-Policy header value
+     */
+    @Nullable
+    @Value('${wave.security.http-headers.referrer-policy}')
+    String referrerPolicy
+
+    /**
+     * Permissions-Policy header value
+     */
+    @Nullable
+    @Value('${wave.security.http-headers.permissions-policy}')
+    String permissionsPolicy
+
+    /**
+     * Content-Security-Policy header value
+     */
+    @Nullable
+    @Value('${wave.security.http-headers.content-security-policy}')
+    String contentSecurityPolicy
+
+    @PostConstruct
+    private void init() {
+        log.info("Security headers config: enabled=${enabled}; hsts-max-age=${hstsMaxAge}; hsts-include-sub-domains=${hstsIncludeSubDomains}; " +
+                "frame-options=${frameOptions}; content-type-options=${contentTypeOptions}; referrer-policy=${referrerPolicy}; " +
+                "permissions-policy=${permissionsPolicy}; csp=${contentSecurityPolicy}")
+    }
+
+    /**
+     * Build the HSTS header value
+     */
+    String getHstsValue() {
+        if (hstsMaxAge == null) {
+            return null
+        }
+        final result = new StringBuilder("max-age=${hstsMaxAge}")
+        if (hstsIncludeSubDomains) {
+            result.append("; includeSubDomains")
+        }
+        return result.toString()
+    }
+}

src/main/groovy/io/seqera/wave/filter/FilterOrder.groovy

@@ -27,6 +27,7 @@ package io.seqera.wave.filter
  */
 interface FilterOrder {
 
+    final int SECURITY_HEADERS = -120
     final int DENY_CRAWLER = -110
     final int DENY_PATHS = -100
     final int RATE_LIMITER = -50

src/main/groovy/io/seqera/wave/filter/SecurityHeadersFilter.groovy

@@ -0,0 +1,98 @@
+/*
+ *  Wave, containers provisioning service
+ *  Copyright (c) 2023-2024, Seqera Labs
+ *
+ *  This program is free software: you can redistribute it and/or modify
+ *  it under the terms of the GNU Affero General Public License as published by
+ *  the Free Software Foundation, either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU Affero General Public License for more details.
+ *
+ *  You should have received a copy of the GNU Affero General Public License
+ *  along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+package io.seqera.wave.filter
+
+import groovy.transform.CompileStatic
+import groovy.util.logging.Slf4j
+import io.micronaut.context.annotation.Requires
+import io.micronaut.core.order.Ordered
+import io.micronaut.http.HttpResponse
+import io.micronaut.http.MutableHttpResponse
+import io.micronaut.http.annotation.ResponseFilter
+import io.micronaut.http.annotation.ServerFilter
+import io.seqera.wave.configuration.SecurityHeadersConfig
+import jakarta.inject.Inject
+import static io.micronaut.http.annotation.ServerFilter.MATCH_ALL_PATTERN
+
+/**
+ * HTTP filter to add security headers to all responses
+ *
+ * @author Munish Chouhan <munish.chouhan@seqera.io>
+ */
+@Slf4j
+@CompileStatic
+@ServerFilter(MATCH_ALL_PATTERN)
+@Requires(property = 'wave.security.http-headers.enabled', value = 'true', defaultValue = 'true')
+class SecurityHeadersFilter implements Ordered {
+
+    @Inject
+    private SecurityHeadersConfig config
+
+    @Override
+    int getOrder() {
+        return FilterOrder.SECURITY_HEADERS
+    }
+
+    @ResponseFilter
+    void responseFilter(HttpResponse<?> response) {
+        if (response instanceof MutableHttpResponse) {
+            addSecurityHeaders((MutableHttpResponse<?>) response)
+        }
+    }
+
+    /**
+     * Add security headers to the HTTP response
+     *
+     * @param response The mutable HTTP response to add headers to
+     */
+    protected void addSecurityHeaders(MutableHttpResponse<?> response) {
+        // Add HSTS header
+        final hstsValue = config.getHstsValue()
+        if (hstsValue) {
+            response.header('Strict-Transport-Security', hstsValue)
+        }
+
+        // Add X-Frame-Options
+        if (config.frameOptions) {
+            response.header('X-Frame-Options', config.frameOptions)
+        }
+
+        // Add X-Content-Type-Options
+        if (config.contentTypeOptions) {
+            response.header('X-Content-Type-Options', config.contentTypeOptions)
+        }
+
+        // Add Referrer-Policy
+        if (config.referrerPolicy) {
+            response.header('Referrer-Policy', config.referrerPolicy)
+        }
+
+        // Add Permissions-Policy
+        if (config.permissionsPolicy) {
+            response.header('Permissions-Policy', config.permissionsPolicy)
+        }
+
+        // Add Content-Security-Policy
+        if (config.contentSecurityPolicy) {
+            response.header('Content-Security-Policy', config.contentSecurityPolicy)
+        }
+
+        log.trace "Added security headers to response"
+    }
+}

src/main/resources/application.yml

@@ -50,6 +50,17 @@ wave:
   allowAnonymous: true
   server:
       url: "${WAVE_SERVER_URL:`http://localhost:9090`}"
+  security:
+    http-headers:
+      enabled: true
+      hsts:
+        max-age: 31536000
+        include-sub-domains: true
+      frame-options: "DENY"
+      content-type-options: "nosniff"
+      referrer-policy: "strict-origin-when-cross-origin"
+      permissions-policy: "camera=(), microphone=(), geolocation=()"
+      content-security-policy: "default-src 'self'; frame-ancestors 'none'"
   build:
     buildkit-image: "public.cr.seqera.io/wave/buildkit:v0.25.2-rootless"
     singularity-image: "public.cr.seqera.io/wave/singularity:v4.2.1-r4"