The HTTP Strict-Transport-Security response header (often abbreviated as HSTS) lets a web site tell browsers that it should only be accessed using HTTPS, instead of using HTTP.

<filter className="deister.axional.server.http.filters.OWASPProtectionFilter">
    <arguments>
        <entry>
            <key>hsts-enabled</key>
            <value>true</value>
        </entry>
        <entry>
            <key>hsts-value</key>
            <value>max-age=31536000; includeSubDomains</value>
        </entry>        
    </arguments>
</filter>

Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement to distribution of malware.

See the Content Security Policy Reference for more options

<filter className="deister.axional.server.http.filters.OWASPProtectionFilter">
    <arguments>
        <entry>
            <key>csp-default-src</key>
            <value>'self'</value>
        </entry>
        <entry><key>csp-script-src</key> <value>'self' 'unsafe-eval' 'unsafe-inline'</value></entry>
        <entry><key>csp-style-src</key> <value>'self' 'unsafe-inline'</value></entry>
        <entry><key>csp-img-src</key> <value>'self' data:</value></entry>
        <entry><key>csp-font-src</key> <value>'self' http: https:</value></entry>
        <entry><key>csp-frame-src</key> <value>'self' http: https:</value></entry>
        <entry><key>csp-connect-src</key> <value>'self'</value></entry>
    </arguments>
</filter>

The HTTP X-XSS-Protection response header is a feature of Internet Explorer, Chrome and Safari that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. Although these protections are largely unnecessary in modern browsers when sites implement a strong Content-Security-Policy that disables the use of inline JavaScript ('unsafe-inline'), they can still provide protections for users of older web browsers that don't yet support CSP.

<filter className="deister.axional.server.http.filters.OWASPProtectionFilter">
    <arguments>
        <entry>
            <key>xss-enabled</key>
            <value>true</value>
        </entry>
        <entry>
            <key>xss-value</key>
            <value> 1; mode=block</value>
        </entry>
    </arguments>
</filter>

Cross-Site Request Forgery is a type of attack that occurs when a malicious web site, email, blog, instant message, or program causes a user’s web browser to perform an unwanted action on a trusted site when the user is authenticated. A CSRF attack works because browser requests automatically include any credentials associated with the site, such as the user's session cookie, IP address, etc. Therefore, if the user is authenticated to the site, the site cannot distinguish between the forged or legitimate request sent by the victim. We would need a token/identifier that is not accessible to attacker and would not be sent along (like cookies) with forged requests that attacker initiates. For more information on CSRF, see OWASP Cross-Site Request Forgery (CSRF) page.

<filter className="deister.axional.server.http.filters.CSRFSecurityFilter" path="/apps/*"></filter>

<filter className="deister.axional.server.http.filters.CSRFSecurityFilter" path="/os/*"></filter>

The Denial of Service (DoS) filter limits exposure to request flooding, whether malicious, or as a result of a misconfigured client. The DoS filter keeps track of the number of requests from a connection per second. If the requests exceed the limit, Jetty rejects, delays, or throttles the request, and sends a warning message. The filter works on the assumption that the attacker might be written in simple blocking style, so by suspending requests you are hopefully consuming the attacker’s resources. The DoS filter is related to the QoS filter, using Continuations to prioritize requests and avoid thread starvation. See more

<filter className="deister.axional.server.http.filters.ServerDoSFilter" path="/account/*">
    <arguments>
        <entry>
            <key>delayMs</key>
            <value>500</value>
        </entry>
    </arguments>
</filter>

<filter className="deister.axional.server.http.filters.ServerDoSFilter" path="/rest/*">
    <arguments>
        <entry>
            <key>delayMs</key>
            <value>500</value>
        </entry>
        <entry>
            <key>maxRequestMs</key>
            <value>300000</value>
        </entry>
    </arguments>
</filter>

<filter className="deister.axional.server.http.filters.ServerDoSFilter" path="/soap/*">
    <arguments>
        <entry>
            <key>delayMs</key>
            <value>500</value>
        </entry>
        <entry>
            <key>maxRequestMs</key>
            <value>300000</value>
        </entry>
    </arguments>
</filter>

The following init parameters control the behavior of the filter:

maxRequestsPerSec

Maximum number of requests from a connection per second. Requests in excess of this are first delayed, then throttled. Default is 25.

delayMs

Delay imposed on all requests over the rate limit, before they are considered at all. Allowed values:

• Default: 100ms
• -1: Reject request
• 0: No delay
• any other value: Delay in ms

maxWaitMs

Length of time, in ms, to blocking wait for the throttle semaphore. Default is 50 ms.

throttledRequests

Number of requests over the rate limit able to be considered at once. Default is 5.

throttleMs

Length of time, in ms, to async wait for semaphore. Default is 30000L.

maxRequestMs

Length of time, in ms, to allow the request to run. Default is 30000L. It's recomended to increase this value

maxIdleTrackerMs

Length of time, in ms, to keep track of request rates for a connection, before deciding that the user has gone away, and discarding it. Default is 30000L.

insertHeaders

If true, insert the DoSFilter headers into the response. Defaults to true.

trackSessions

If true, usage rate is tracked by session if a session exists. Defaults to true.

remotePort

If true and session tracking is not used, then rate is tracked by IP and port (effectively connection). Defaults to false.

ipWhitelist

A comma-separated list of IP addresses that will not be rate limited.

managedAttr

If set to true, then this servlet is set as a ServletContext attribute with the filter name as the attribute name. This allows a context external mechanism (for example, JMX via ContextHandler.MANAGED_ATTRIBUTES) to manage the configuration of the filter.