RE: [External] Re: Security Headers Implementation in Tomcat 6.x version
Hi Olaf & Chris, By placing HTTPD 2.x server in front of Tomcat 6, is it possible to hide Tomcat 6 from external world? I just don’t want people to find out that I am using Tomcat 6, instead I want them to know that I am using httpd 2.x server. Is this possible? I just need Apache HTTPD server to take care of headers and let Tomcat do rest of the stuff (which it is already doing in my case). Do I still need to configure anything other than headers in my case? Regards, Mohammad -Original Message- From: Olaf Kock [mailto:tom...@olafkock.de] Sent: 31 May 2017 16:38 To: Tomcat Users List <users@tomcat.apache.org> Subject: [External] Re: Security Headers Implementation in Tomcat 6.x version Am 29.05.2017 um 13:34 schrieb Shaik, Mohammad N.: > Hello Olaf, > > Thanks for your response! > > Based on your inputs, we are thinking to put Apache httpd in front of Tomcat > 6 server, since our header configuration is going to be static. > > Can you please help us in identifying which version of Apache HTTP Server we > can use for Tomcat 6 version? Also, it will be great if you can share some > guidelines on how to implement Apache in front of Tomcat. For completeness sake I'd like to answer a few of these questions, rather briefly. It seems that you're deep into implementing Christopher's solution of compiling the newer filters for Tomcat 6. Every current Apache httpd is fine, no version restriction. Especially: Choose one that will get updates for quite a while, not like the outdated Tomcat version you're running. Read on mod_proxy, mod_proxy_ajp, mod_jk and mod_proxy_http, which are all keywords on the connection between Apache and tomcat. Once you've set this up, setting the headers is a matter of adding the "Header" directive to httpd's configuration. I understand though, that setting up the connection can be some task if you've never done that. Especially if you're using https, and also refer to it in your webapp's code (e.g. to validate client certs) - but as you give no clue you're doing that, I'm assuming you don't and the setup would be easy. Anyway, feel free to utilize the newer code - I just wanted this information to be in this thread as well. However, once you're done with it: Utilize even more newer code and prepare to migrate away from your discontinued tomcat version. Olaf - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. __ www.accenture.com - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: [External] Re: Security Headers Implementation in Tomcat 6.x version
Hi Chris, My actual requirement was to implement 7 HTTP headers, out of which 4 are implemented in "HttpHeaderSecurityFilter". The remaining 3 headers (Content-Security-Policy, Public-Key-Pins, X-Robots-Tag) are not addressed in any of the filters available in Tomcat 7, 8 & 9 versions. Is there any way that we implement these 3 headers in Tomcat? Regards, Mohammad -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: 01 June 2017 19:59 To: users@tomcat.apache.org Subject: Re: [External] Re: Security Headers Implementation in Tomcat 6.x version -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mohammad, On 6/1/17 12:43 AM, Shaik, Mohammad N. wrote: > What should be name of the new JAR file that I would create for the > Filter classes? It doesn't matter. > There are multiple JAR files in lib folder. Does the name of these JAR > files have any significance? Not really. > My understanding is that as long as you have your code (.class > files) is present in any of the JAR files under "lib" folder, system > would get it. You don’t need to have a specific-named JAR files having > specific-named .class files. The .class files from all the jar files > under lib folder is considered as one big collection, and based on the > invoked classname its corresponding .class file gets executed from > that big code. Multiple JAR files with different names is setup just > for logical classification of classes. Please correct me if this is > not right. You are correct. There are problems if the same class exists in two separate JAR files, but that should not be a problem in the standard Tomcat installation, plus the JAR file that has a few (unique) classes from Tomcat 7 in there. Remember: Upgrade ASAP. - -chris > -Original Message- From: Christopher Schultz > [mailto:ch...@christopherschultz.net] Sent: 31 May 2017 23:52 To: > users@tomcat.apache.org Subject: [External] Re: Security Headers > Implementation in Tomcat 6.x version > > Mohammad, > > On 5/31/17 6:37 AM, Shaik, Mohammad N. wrote: >> Can I simply use the JAR files from Tomcat 7 that contains executable >> code of filter classes (security headers), and put them into >> corresponding location in Tomcat 6? > > Definitely don't do that. But you could probably grab the compiled > .class files from Tomcat 7's binary distribution... just make sure you > have all of them. > > So, basically, create a new JAR file that contains only those Filter > classes (don't forget any inner classes that might be found in > separate .class files). > > -chris > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > > This message is for the designated recipient only and may contain > privileged, proprietary, or otherwise confidential information. If you > have received it in error, please notify the sender immediately and > delete the original. Any other use of the e-mail by you is prohibited. > Where allowed by local law, electronic communications with Accenture > and its affiliates, including e-mail and instant messaging (including > content), may be scanned by our systems for the purposes of > information security and assessment of internal compliance with > Accenture policy. > __ > > www.accenture.com > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJZMCSuAAoJEBzwKT+lPKRYuXoQAMLiiazF90PhBn4NxTu/Zh2u kqFbjTSUBRnk+KgQ7hezeRbQlLj/gt20Fywd8cvxOgXZ9CFGOVrxY5ljQdD/GQqi 3fr437iqlVXrzgIeZo/N7NAOQHa04ktMmGQiW+Hx3o8MyN6UlXUazL4K3ddiDNkx bnTCYXtjic66vTJvTr+I2TVy/gBTLe7V4ooxNVP9zv+NL3xFqFqb3ZrkoHI9xiTn aoM3HL2RMRu0Kt/fRAhzqOHYDj5uFttjXMfCVnm5+nBEE7R5ymihI8rMfVIxlIBo /28+3nRnOK63dhAKHfpnNgBykH3DDwtududKme6KpCzbuD/95seIGhr4aKtBL9ou gJXSaXt0IR7PFy4xiZGwdESr1OdR1/eTnyq8vNzIcmbEW9gv30dRhdytbie85nET 0G5OBIOZ4UGwjfGc5+ItCaNeAY4zsCofwlvvqjPG0xjM5uBJK6Eqy4dp++VYPv5Y qK/1Qpmzu+KALoV7nLXLDrRV3qes319XaWgKB9c8r6BH6vYIg5K+W+pR63TiFDLE /XHDxIpemsy6oq657sg0JI/48J8iiulbiIXsZ5bb1gjOg7bh4xz8XqOtSW2oqSju ngDPVYxotcbA6DWsaOZJu7WYfR0wjs+/gkhvX1GgICd2lixXZUwboTkOk9wNwArS HGUlc2U0LgTmSYLe+vj6 =oY0c -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional comm
RE: [External] Re: Security Headers Implementation in Tomcat 6.x version
Hi Chris, What should be name of the new JAR file that I would create for the Filter classes? There are multiple JAR files in lib folder. Does the name of these JAR files have any significance? My understanding is that as long as you have your code (.class files) is present in any of the JAR files under "lib" folder, system would get it. You don’t need to have a specific-named JAR files having specific-named .class files. The .class files from all the jar files under lib folder is considered as one big collection, and based on the invoked classname its corresponding .class file gets executed from that big code. Multiple JAR files with different names is setup just for logical classification of classes. Please correct me if this is not right. - Mohammad -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: 31 May 2017 23:52 To: users@tomcat.apache.org Subject: [External] Re: Security Headers Implementation in Tomcat 6.x version -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mohammad, On 5/31/17 6:37 AM, Shaik, Mohammad N. wrote: > Can I simply use the JAR files from Tomcat 7 that contains executable > code of filter classes (security headers), and put them into > corresponding location in Tomcat 6? Definitely don't do that. But you could probably grab the compiled .class files from Tomcat 7's binary distribution... just make sure you have all of them. So, basically, create a new JAR file that contains only those Filter classes (don't forget any inner classes that might be found in separate .class files). - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJZLwnHAAoJEBzwKT+lPKRYVZ4P/1XAtHfld2JwqfQLLUTaiZ7C jlJoUOjImnwTI4JAKOnlaSIQ0c0IhboBlPxcuBOaAbn5zbKOQZslqbWhidnHuKp5 T5C8eChRR8OuP6cJAi2zCx0m7NgxInaYRIMdbxBGIwnAOZkaq0UgKY2JYo9OUfeJ S5VRuZIKdH8nE3dlriC72uZkn2ZXPoHMe3KyfsNZzR8UNqyZmQwUsb8645Xiw0up Sik6onVBiqSubnLCYslhizMiK7r7hU55whMbsS3tDXnfck8ZwE6nRldxRw630vet D9b00aUw5Em9SW9ZaeIG/n6x/L7hTFzJJFhKMuhEQHndo610xDiI+d2fADEfvx/i L5BKGzVwoUtq0MpUxKpwMeoKagA9NYpbSDyLpeJViqv/m77KOA4O2hGwmcq/UOml XFQ//5yaHvGL+W8ICNZCzgdTX5OgOwx0Nbu9ii7//FOcI5O2uT+0EN+LoagGpDNy OJmQm5PsXJDvScoyNRK+z6mgPpe+3YPR7tKfx9Aw6TlPecB8VaXY2zLMf7g0wck3 AMtGfaqKw1kSjLEmLrSb7rUCDxEROXh4zgpZS1Xv0/0tPfmoFPWxx7msw6bVd9CB aKKw7NbMkUehs4lBixzPGHqBQfpMyvJByUQyY4ThUCrJM/DU/9y2rwdwJGYFR+lv mD63/FtqNHglnYULpUTS =jN8f -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. __ www.accenture.com
RE: Security Headers Implementation in Tomcat 6.x version
Hi Chris, Can I simply use the JAR files from Tomcat 7 that contains executable code of filter classes (security headers), and put them into corresponding location in Tomcat 6? Regards, Mohammad -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: 30 May 2017 21:06 To: users@tomcat.apache.org Subject: Re: Security Headers Implementation in Tomcat 6.x version -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mohammad, On 5/30/17 2:13 AM, Shaik, Mohammad N. wrote: > Thanks for the valuable input, that helps!! We shall go with getting > the source package of Tomcat 7, put them in Tomcat 6 and use the > filters of Tomcat 7 in Tomcat 6. > > Can you please let me know from where I can get/download the source > package of Tomcat 7? Also can you please share the location of the > source package in Tomcat 6 so that we can replace it with the one from > Tomcat 7? The source download for Tomcat 7 is in the same place all the other downloads are. You will not need the source for Tomcat 6, nor will you need to build the complete source-to-binary for Tomcat 7. Just grab the source, take the classes you need, and compile them against the servlet JAR you already have for Tomcat 6. Feel free to re-name the packages if they are awkward for you to compile/install and then just reference the new class names in your application/server. Remember to watch for patches to those source files in Tomcat 7 in case they include e.g. security updates -- you'll want to apply those same updates to the code you have taken from Tomcat 7. A longer-term goal should be to upgrade to Tomcat 8 or 8.5. Tomcat is backward-compatible with all spec-compliant applications, though it does behave differently sometimes as the Servlet Experts Group has clarified certain questions or added new capabilities (like annotation-processing). I recommend a long period of testing with a new version of Tomcat, but I also recommend that you begin that testing as soon as possible. Tomcat 6 will probably receive *no further updates, security or otherwise*, even if a vulnerability is foun d. - -chris > -Original Message- From: Christopher Schultz > [mailto:ch...@christopherschultz.net] Sent: 29 May 2017 20:57 To: > users@tomcat.apache.org Subject: Re: Security Headers Implementation > in Tomcat 6.x version > > Mohammad, > > On 5/29/17 7:34 AM, Shaik, Mohammad N. wrote: >> Based on your inputs, we are thinking to put Apache httpd in front of >> Tomcat 6 server, since our header configuration is going to be >> static. > > This might not be a bad idea for a number of reasons, but it is by no > means required. > > You can download the Tomcat 7 source package and use the security > filters from Tomcat 7[1] in Tomcat 6: there is nothing in there that > actually requires Tomcat 7 to run. > >> Can you please help us in identifying which version of Apache HTTP >> Server we can use for Tomcat 6 version? Also, it will be great if you >> can share some guidelines on how to implement Apache in front of >> Tomcat. > All supported versions of Apache web server work with app supported > versions of Tomcat (as well as Tomcat 6). You have several choices for > how to connect them together, but the most straightforward is to use > mod_proxy_http from httpd to Tomcat. > Tomcat behaves exactly as it did before and requires no additional > configuration unless you are moving TLS termination from Tomcat to > httpd. If that's the case, there are many guides on the web as well as > on Tomcat's Presentations Page[2] that document how to do that. > > Hope that helps, -chris > > [1] http://tomcat.apache.org/tomcat-7.0-doc/config/filter.html [2] > http://tomcat.apache.org/presentations.html > > - > > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > > This message is for the designated recipient only and may contain > privileged, proprietary, or otherwise confidential information. If you > have received it in error, please notify the sender immediately and > delete the original. Any other use of the e-mail by you is prohibited. > Where allowed by local law, electronic communications with Accenture > and its affiliates, including e-mail and instant messaging (including > content), may be scanned by our systems for the purposes of > information security and assessment of internal compliance with > Accenture policy. > __ > > > www.accenture.com > > - > > &
RE: Security Headers Implementation in Tomcat 6.x version
Hi Chris, I got the source files (.java) of the filter classes that I was looking for. Should we compile the source file against the servlet jar file(s) present in "[Tomcat]\lib\" or "[Tomcat]\webapps\ApplicationName\WEB-INF\lib"? I see there are multiple JAR files in both these locations. How to locate the exact JAR file which should be used to compile source files? My understanding is that as long as you have your code (.class files) in any of the JAR files under "lib" folder, system would get it. You don’t need to have specific code in specific JAR file. Code from all the jar files under lib folder is considered as one big code, and based on the class invoked its corresponding code gets executed from that one big code. Please correct me if this is not right. Also, should we include the filters in web.xml file under "[Tomcat]\conf\" folder or under "WEB-INF" folder of my application? Regards, Mohammad -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: 30 May 2017 21:06 To: users@tomcat.apache.org Subject: Re: Security Headers Implementation in Tomcat 6.x version -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mohammad, On 5/30/17 2:13 AM, Shaik, Mohammad N. wrote: > Thanks for the valuable input, that helps!! We shall go with getting > the source package of Tomcat 7, put them in Tomcat 6 and use the > filters of Tomcat 7 in Tomcat 6. > > Can you please let me know from where I can get/download the source > package of Tomcat 7? Also can you please share the location of the > source package in Tomcat 6 so that we can replace it with the one from > Tomcat 7? The source download for Tomcat 7 is in the same place all the other downloads are. You will not need the source for Tomcat 6, nor will you need to build the complete source-to-binary for Tomcat 7. Just grab the source, take the classes you need, and compile them against the servlet JAR you already have for Tomcat 6. Feel free to re-name the packages if they are awkward for you to compile/install and then just reference the new class names in your application/server. Remember to watch for patches to those source files in Tomcat 7 in case they include e.g. security updates -- you'll want to apply those same updates to the code you have taken from Tomcat 7. A longer-term goal should be to upgrade to Tomcat 8 or 8.5. Tomcat is backward-compatible with all spec-compliant applications, though it does behave differently sometimes as the Servlet Experts Group has clarified certain questions or added new capabilities (like annotation-processing). I recommend a long period of testing with a new version of Tomcat, but I also recommend that you begin that testing as soon as possible. Tomcat 6 will probably receive *no further updates, security or otherwise*, even if a vulnerability is foun d. - -chris > -Original Message- From: Christopher Schultz > [mailto:ch...@christopherschultz.net] Sent: 29 May 2017 20:57 To: > users@tomcat.apache.org Subject: Re: Security Headers Implementation > in Tomcat 6.x version > > Mohammad, > > On 5/29/17 7:34 AM, Shaik, Mohammad N. wrote: >> Based on your inputs, we are thinking to put Apache httpd in front of >> Tomcat 6 server, since our header configuration is going to be >> static. > > This might not be a bad idea for a number of reasons, but it is by no > means required. > > You can download the Tomcat 7 source package and use the security > filters from Tomcat 7[1] in Tomcat 6: there is nothing in there that > actually requires Tomcat 7 to run. > >> Can you please help us in identifying which version of Apache HTTP >> Server we can use for Tomcat 6 version? Also, it will be great if you >> can share some guidelines on how to implement Apache in front of >> Tomcat. > All supported versions of Apache web server work with app supported > versions of Tomcat (as well as Tomcat 6). You have several choices for > how to connect them together, but the most straightforward is to use > mod_proxy_http from httpd to Tomcat. > Tomcat behaves exactly as it did before and requires no additional > configuration unless you are moving TLS termination from Tomcat to > httpd. If that's the case, there are many guides on the web as well as > on Tomcat's Presentations Page[2] that document how to do that. > > Hope that helps, -chris > > [1] http://tomcat.apache.org/tomcat-7.0-doc/config/filter.html [2] > http://tomcat.apache.org/presentations.html > > - > > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > > This message is for the design
Source Package file path location in Tomcat
Hello, Can you please help in sharing the Source Package file path location in Tomcat 6 and 7 versions? We need to put the Source Package of Tomcat 7 in Tomcat 6 so that we can use the security filters of Tomcat 7 in Tomcat 6. Regards, Mohammad Nayeem This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. __ www.accenture.com
RE: Security Headers Implementation in Tomcat 6.x version
Hello Chris, Thanks for the valuable input, that helps!! We shall go with getting the source package of Tomcat 7, put them in Tomcat 6 and use the filters of Tomcat 7 in Tomcat 6. Can you please let me know from where I can get/download the source package of Tomcat 7? Also can you please share the location of the source package in Tomcat 6 so that we can replace it with the one from Tomcat 7? Regards, Mohammad -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: 29 May 2017 20:57 To: users@tomcat.apache.org Subject: Re: Security Headers Implementation in Tomcat 6.x version -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mohammad, On 5/29/17 7:34 AM, Shaik, Mohammad N. wrote: > Based on your inputs, we are thinking to put Apache httpd in front of > Tomcat 6 server, since our header configuration is going to be static. This might not be a bad idea for a number of reasons, but it is by no means required. You can download the Tomcat 7 source package and use the security filters from Tomcat 7[1] in Tomcat 6: there is nothing in there that actually requires Tomcat 7 to run. > Can you please help us in identifying which version of Apache HTTP > Server we can use for Tomcat 6 version? Also, it will be great if you > can share some guidelines on how to implement Apache in front of > Tomcat. All supported versions of Apache web server work with app supported versions of Tomcat (as well as Tomcat 6). You have several choices for how to connect them together, but the most straightforward is to use mod_proxy_http from httpd to Tomcat. Tomcat behaves exactly as it did before and requires no additional configuration unless you are moving TLS termination from Tomcat to httpd. If that's the case, there are many guides on the web as well as on Tomcat's Presentations Page[2] that document how to do that. Hope that helps, - -chris [1] http://tomcat.apache.org/tomcat-7.0-doc/config/filter.html [2] http://tomcat.apache.org/presentations.html -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJZLD3hAAoJEBzwKT+lPKRYPh0P/RiGWVDs8c/PsFdC8VmU8fBB V+EqkBd3SMeMK9l/2NtHW+MK/5BkkB5/2ebZiivCBYVTkUi4jaqnBvy981EJFcFb vxovSsFhkhAPnr2DtZcg98wkTJ5dwT7ze50Cx/VBeXVlZD8n/nh+Msv5a1Fab0qI dTzTGUwAguFwVZHkZX16LefqHvbvC6R5lJDCkqdtWx51KbDB4fY2TdVhzGK1vCEk Vgrg4uEhjrkS/d6YgU4VWY8gHF2202DbmGPyZjIlh8l3R9bFWUE5NEg0AokOAAxR AySanDW0J1QNKjm11KQuwynDVTqLGu9u9JBxKYsqsZsjjzSIpHFzVislI/lIbKBi RKb1m+Hsfm0LkmDX+9N47EKXG5B6HOenUjWnjy2BCBnkINPXSbGOPXrG4028hSmo NlPWGZTFSJnlcE4mLTxHZBQjPwgg2pmn/Ck4LsP9PFJITC3/2jtCpnwCv29pcxx8 ILG8On65M9uA2AdnhGucNvSpV5nsfPujhBQtB44A9Xd9V3ssdqn+hSgorZ4aMY7U XPGyiUV985D+9XKkaHY0gBWjLdEBRZisWV1k66QjAWXC3ekdxGQzyV47RehwRueQ 6Zcc5MuH1F/3okJpXlxSwnpwfLyfZZPjZrhVoyKMxAWj2ozkIqPcfcSw8cYxN5hr Fx+sOmqCwHww762nVlnZ =03C1 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. __ www.accenture.com - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Security Headers Implementation in Tomcat 6.x version
Hello Olaf, Thanks for your response! Based on your inputs, we are thinking to put Apache httpd in front of Tomcat 6 server, since our header configuration is going to be static. Can you please help us in identifying which version of Apache HTTP Server we can use for Tomcat 6 version? Also, it will be great if you can share some guidelines on how to implement Apache in front of Tomcat. Regards, Mohammad Nayeem -Original Message- From: Olaf Kock [mailto:tom...@olafkock.de] Sent: 29 May 2017 13:53 To: users@tomcat.apache.org Subject: Re: Security Headers Implementation in Tomcat 6.x version Am 29.05.2017 um 07:59 schrieb Shaik, Mohammad N.: > We are using Tomcat 6.x version and we need to implement the following > headers in our environment. > > Headers: > 1) Strict-Transport-Security > 2) Content-Security-Policy > > 7) X-Robots-Tag > > When I checked the Tomcat 6 version webpage > (https://urldefense.proofpoint.com/v2/url?u=https-3A__tomcat.apache.org_tomcat-2D6.0-2Ddoc_config_filter.html=DwIC-g=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU=n7KdPZPxHJiaMMRttjzNEDRaQq4sRDfs3q027rnDxLU=MluZR_Lq5a0pPtOi3Req6Md1UeKkctbV-mPOCjQsSUU=MmEr4IILdgkhxtcFHmAb7ZO1pGl9B2Gek5dFuSCIBKw= > ), I don't see any filters that implement any these headers. Some of them > are available in Tomcat 7 version webpage > (https://urldefense.proofpoint.com/v2/url?u=https-3A__tomcat.apache.org_tomcat-2D7.0-2Ddoc_config_filter.html=DwIC-g=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU=n7KdPZPxHJiaMMRttjzNEDRaQq4sRDfs3q027rnDxLU=MluZR_Lq5a0pPtOi3Req6Md1UeKkctbV-mPOCjQsSUU=aSZ5lgpIY-aPi2TSYp6DDNykQA9QFD8ImYaIKp70gUA= > ), but we cannot upgrade to Tomcat 7.x version due to some constraints. > > Can you kindly guide me how to implement these headers in Tomcat 6.x version. > All your comments on this topic are welcome. As tomcat 6 is solid out of service for almost half a year already (see https://urldefense.proofpoint.com/v2/url?u=http-3A__tomcat.apache.org_tomcat-2D60-2Deol.html=DwIC-g=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU=n7KdPZPxHJiaMMRttjzNEDRaQq4sRDfs3q027rnDxLU=MluZR_Lq5a0pPtOi3Req6Md1UeKkctbV-mPOCjQsSUU=4Z8PWPmO-QMztdwYP9hAotZazIQFlsSUO5SfDxrVjG4= ), you're between a rock and a hard place: Invest in a platform that's a potential security threat (it won't get any more updates) or invest in an upgrade. That out of the way, for most cases, just have an Apache httpd in front of tomcat and use its magic to tag most of your headers. For many it will be static configuration. If there's anything dynamic that you need, implement a servlet filter that just does the job. Hardcode it - you don't need a lot of configuration if you come up with a solution that's just used within your premises. If you have multiple web applications that all need the same filter, deploy the filter on all of them. Olaf - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. __ www.accenture.com - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
How to implement Security Headers in Tomcat 6
Hello, Can someone please let me know if the following headers are compatible with Tomcat 6.x version? If yes, then how do we enable them? Headers: 1) Strict-Transport-Security 2) Content-Security-Policy 3) Public-Key-Pins 4) X-Frame-Options 5) X-XSS-Protection 6) X-Content-Type-Options 7) X-Robots-Tag Kind Regards, Mohammad Nayeem This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. __ www.accenture.com
Security Headers Implementation in Tomcat 6.x version
Hello, We are using Tomcat 6.x version and we need to implement the following headers in our environment. Headers: 1) Strict-Transport-Security 2) Content-Security-Policy 3) Public-Key-Pins 4) X-Frame-Options 5) X-XSS-Protection 6) X-Content-Type-Options 7) X-Robots-Tag When I checked the Tomcat 6 version webpage (https://tomcat.apache.org/tomcat-6.0-doc/config/filter.html), I don't see any filters that implement any these headers. Some of them are available in Tomcat 7 version webpage (https://tomcat.apache.org/tomcat-7.0-doc/config/filter.html), but we cannot upgrade to Tomcat 7.x version due to some constraints. Can you kindly guide me how to implement these headers in Tomcat 6.x version. All your comments on this topic are welcome. Kind Regards, Mohammad Nayeem This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. __ www.accenture.com
