Trying fix for zap scan warning

CDCgov · Dec 26, 2024 · dcb2e04 · dcb2e04
1 parent b6eeec5
commit dcb2e04
Showing 1 changed file with 8 additions and 1 deletion.
diff --git a/app/src/main/java/gov/hhs/cdc/trustedintermediary/external/javalin/App.java b/app/src/main/java/gov/hhs/cdc/trustedintermediary/external/javalin/App.java
@@ -48,7 +48,14 @@ public static void main(String[] args) {
 
         // apply this security header to all responses, but allow it to be overwritten by a specific
         // endpoint by using `before` if needed
-        app.before(ctx -> ctx.header("X-Content-Type-Options", "nosniff"));
+        app.before(
+                ctx -> {
+                    ctx.header("X-Content-Type-Options", "nosniff");
+                    // Fix for https://www.zaproxy.org/docs/alerts/90004
+                    ctx.header("Cross-Origin-Resource-Policy", "same-origin");
+                    ctx.header("Cross-Origin-Opener-Policy", "same-origin");
+                    ctx.header("Cross-Origin-Embedder-Policy", "require-corp");
+                });
 
         try {
             app.get(HEALTH_API_ENDPOINT, ctx -> ctx.result("Operational"));