(fineract) branch develop updated: FINERACT-2140: added hsts protocol support through system property

[adamsaghy]

This is an automated email from the ASF dual-hosted git repository.

adamsaghy pushed a commit to branch develop
in repository https://gitbox.apache.org/repos/asf/fineract.git


The following commit(s) were added to refs/heads/develop by this push:
     new 99f12d6091 FINERACT-2140: added hsts protocol support through system 
property
99f12d6091 is described below

commit 99f12d6091653b368819939aa74d1d2b0c5e0816
Author: mark.vituska <vitu...@gmail.com>
AuthorDate: Tue Apr 22 11:29:05 2025 +0200

    FINERACT-2140: added hsts protocol support through system property
---
 .../fineract/infrastructure/core/config/FineractProperties.java   | 8 ++++++++
 .../fineract/infrastructure/core/config/OAuth2SecurityConfig.java | 4 ++++
 .../fineract/infrastructure/core/config/SecurityConfig.java       | 5 +++++
 fineract-provider/src/main/resources/application.properties       | 1 +
 fineract-provider/src/test/resources/application-test.properties  | 1 +
 5 files changed, 19 insertions(+)

diff --git 
a/fineract-core/src/main/java/org/apache/fineract/infrastructure/core/config/FineractProperties.java
 
b/fineract-core/src/main/java/org/apache/fineract/infrastructure/core/config/FineractProperties.java
index 69de793278..ed4064aa0a 100644
--- 
a/fineract-core/src/main/java/org/apache/fineract/infrastructure/core/config/FineractProperties.java
+++ 
b/fineract-core/src/main/java/org/apache/fineract/infrastructure/core/config/FineractProperties.java
@@ -491,6 +491,7 @@ public class FineractProperties {
         private FineractSecurityBasicAuth basicauth;
         private FineractSecurityTwoFactorAuth twoFactor;
         private FineractSecurityOAuth oauth;
+        private FineractSecurityHsts hsts;
 
         public void set2fa(FineractSecurityTwoFactorAuth twoFactor) {
             this.twoFactor = twoFactor;
@@ -518,6 +519,13 @@ public class FineractProperties {
         private boolean enabled;
     }
 
+    @Getter
+    @Setter
+    public static class FineractSecurityHsts {
+
+        private boolean enabled;
+    }
+
     @Getter
     @Setter
     public static class FineractTransactionProcessorItemProperties {
diff --git 
a/fineract-provider/src/main/java/org/apache/fineract/infrastructure/core/config/OAuth2SecurityConfig.java
 
b/fineract-provider/src/main/java/org/apache/fineract/infrastructure/core/config/OAuth2SecurityConfig.java
index 7411069de4..e20ba55560 100644
--- 
a/fineract-provider/src/main/java/org/apache/fineract/infrastructure/core/config/OAuth2SecurityConfig.java
+++ 
b/fineract-provider/src/main/java/org/apache/fineract/infrastructure/core/config/OAuth2SecurityConfig.java
@@ -128,6 +128,10 @@ public class OAuth2SecurityConfig {
             http.requiresChannel(channel -> 
channel.requestMatchers(antMatcher("/api/**")).requiresSecure());
         }
 
+        if (fineractProperties.getSecurity().getHsts().isEnabled()) {
+            http.requiresChannel(channel -> 
channel.anyRequest().requiresSecure()).headers(
+                    headers -> headers.httpStrictTransportSecurity(hsts -> 
hsts.includeSubDomains(true).maxAgeInSeconds(31536000)));
+        }
         return http.build();
     }
 
diff --git 
a/fineract-provider/src/main/java/org/apache/fineract/infrastructure/core/config/SecurityConfig.java
 
b/fineract-provider/src/main/java/org/apache/fineract/infrastructure/core/config/SecurityConfig.java
index f8ac860156..2aa96f7e5f 100644
--- 
a/fineract-provider/src/main/java/org/apache/fineract/infrastructure/core/config/SecurityConfig.java
+++ 
b/fineract-provider/src/main/java/org/apache/fineract/infrastructure/core/config/SecurityConfig.java
@@ -158,6 +158,11 @@ public class SecurityConfig {
         if (serverProperties.getSsl().isEnabled()) {
             http.requiresChannel(channel -> 
channel.requestMatchers(antMatcher("/api/**")).requiresSecure());
         }
+
+        if (fineractProperties.getSecurity().getHsts().isEnabled()) {
+            http.requiresChannel(channel -> 
channel.anyRequest().requiresSecure()).headers(
+                    headers -> headers.httpStrictTransportSecurity(hsts -> 
hsts.includeSubDomains(true).maxAgeInSeconds(31536000)));
+        }
         return http.build();
     }
 
diff --git a/fineract-provider/src/main/resources/application.properties 
b/fineract-provider/src/main/resources/application.properties
index 1df7880d9f..a627c44d21 100644
--- a/fineract-provider/src/main/resources/application.properties
+++ b/fineract-provider/src/main/resources/application.properties
@@ -24,6 +24,7 @@ fineract.node-id=${FINERACT_NODE_ID:1}
 fineract.security.basicauth.enabled=${FINERACT_SECURITY_BASICAUTH_ENABLED:true}
 fineract.security.oauth.enabled=${FINERACT_SECURITY_OAUTH_ENABLED:false}
 fineract.security.2fa.enabled=${FINERACT_SECURITY_2FA_ENABLED:false}
+fineract.security.hsts.enabled=${FINERACT_SECURITY_HSTS_ENABLED:false}
 
 fineract.tenant.host=${FINERACT_DEFAULT_TENANTDB_HOSTNAME:localhost}
 fineract.tenant.port=${FINERACT_DEFAULT_TENANTDB_PORT:3306}
diff --git a/fineract-provider/src/test/resources/application-test.properties 
b/fineract-provider/src/test/resources/application-test.properties
index 97b6f96f76..a7d6336e62 100644
--- a/fineract-provider/src/test/resources/application-test.properties
+++ b/fineract-provider/src/test/resources/application-test.properties
@@ -22,6 +22,7 @@ fineract.node-id=1
 fineract.security.basicauth.enabled=true
 fineract.security.oauth.enabled=false
 fineract.security.2fa.enabled=false
+fineract.security.hsts.enabled=false
 
 fineract.tenant.host=localhost
 fineract.tenant.port=3306