Class |
|
---|---|
Component |
|
DynamoHandler
is always the first servlet in a pipeline. This pipeline servlet takes in an HttpServletRequest/Response
pair and passes on a DynamoHttpServletRequest/Response
pair. Putting this servlet at the head of the pipeline ensures that all subsequent pipeline servlets are passed all the functionality of DynamoHttpServletRequest
and DynamoHttpServletResponse
.
RequestLocale Object
The DynamoHandler
servlet also creates a RequestLocale
object in the request. This servlet identifies the locale of the request and sets the locale
property of the request’s RequestLocale
accordingly. This enables you to deliver different content based on the visitor’s locale. You can disable the creation of RequestLocale
objects by setting the DynamoHandler's
generateRequestLocales
property to false
.
See the Internationalizing an Oracle Commerce Platform Web Site chapter of this guide for more information.
Preventing User Interface Redress Attacks (Clickjacking)
User interface redress attack (often referred to as clickjacking) is a hacking technique in which a user is tricked into executing malicious code by clicking an apparently innocuous link or button on a web site. For example, a button might have a hidden script that executes when the button is clicked and transmits personal information about the user.
To protect against clickjacking, most browsers support fields in HTTP response headers that prevent site pages from being rendered in frames or iframes, thus ensuring that these pages are not embedded in the pages of another site. The DynamoHandler
servlet has three properties that you can use to insert these fields in response headers:
XFrameOptionsHeader
– inserts anX-Frame-Options
fieldcontentSecurityPolicyHeader
– inserts aContent-Security-Policy
fieldcontentSecurityPolicyReportOnlyHeader
– inserts aContent-Security-Policy-Report-Only
field
The value you specify for one of these properties is used as the value for the corresponding header field. For example, you could set the contentSecurityPolicyHeader
property like this:
contentSecurityPolicyHeader=frame-options 'deny'
This results in the following field being inserted in response headers:
Content-Security-Policy: frame-options 'deny'
Note that some browsers may not support all three of these fields, or may ignore certain fields if others are present. You should check which fields and values are supported by commonly used browsers before setting these properties.