Application Framework

Security

The linkki application framework uses Vaadin, which is a server-side framework. This means that the internal state and logic reside on the server and are not exposed to the browser. The Vaadin Security Architecture documentation explains the security benefits of this design.

HTTP response headers

OWASP offers an overview of security-related HTTP-Headers, as well as a recommendation. These headers generally increase security by adding additional restrictions, so make sure you understand the impact before setting them.

Vaadin already sets a few of these headers. The value of Content-Security-Policy may be reported as unsafe by some tools, this is required for the client-side engine to start.

Additional headers can be added to the initial page request by registering a VaadinServiceInitListener, which adds an IndexHtmlRequestListener.

Example implementation of VaadinServiceInitListener
@Component
public class ApplicationServiceInitListener implements VaadinServiceInitListener {

    private static final long serialVersionUID = 1L;

    @Override
    public void serviceInit(ServiceInitEvent event) {
        event.addIndexHtmlRequestListener(new SecurityHeaderSetter());
    }
}
Example implementation of IndexHtmlRequestListener
public class SecurityHeaderSetter implements IndexHtmlRequestListener {

    private static final long serialVersionUID = 1L;

    @Override
    public void modifyIndexHtmlResponse(IndexHtmlResponse indexHtmlResponse) {
        indexHtmlResponse.getVaadinResponse().setHeader("Referrer-Policy", "no-referrer");
        indexHtmlResponse.getVaadinResponse().setHeader("X-Frame-Options", "deny");
        indexHtmlResponse.getVaadinResponse().setHeader("X-Content-Type-Options", "nosniff");
        indexHtmlResponse.getVaadinResponse().setHeader("Permissions-Policy", "microphone=(),camera=()");
    }
}