Sorry for typo in earlier email, i was saying about ExpiresFilter only so how do i add this filter and failter mapping , Do i need to add both in existing <filter-name>httpHeaderSecurity</filter-name>
<filter> <filter-name>ExpiresFilter</filter-name> <filter-class>org.apache.catalina.filters.ExpiresFilter</filter-class> <init-param> <param-name>ExpiresByType image</param-name> <param-value>access plus 10 days</param-value> </init-param> <init-param> <param-name>ExpiresByType text/css</param-name> <param-value>access plus 10 hours</param-value> </init-param> <init-param> <param-name>ExpiresByType application/javascript</param-name> <param-value>access plus 10 minutes</param-value> </init-param> <!-- Let everything else expire immediately --> <init-param> <param-name>ExpiresDefault</param-name> <param-value>access plus 0 seconds</param-value> </init-param></filter> On Wed, Feb 27, 2019 at 1:59 PM logo <l...@kreuser.name> wrote: > Hello Nitin, > > Am 27.02.2019 08:52, schrieb Nitin Kadam: > > Hello, > > > > > > > > How can i change “Cache Control -private: to “Cache-Control: nostore” > > > > i searched and found that need to add express filters in web config but > > not > > sure on where to add in filters. > > > > can you please guide me on same? > > > > as far as I can tell, that Header is already set by your application - > Tomcat will not set it by default. Not to "private" for sure. > So it may be necessary to change that in your config, maybe even code. > > Usually you would have to implement a CacheControl filter like the one > mentioned here at stackoverflow > https://stackoverflow.com/questions/2876250/tomcat-cache-control > > I don't know if the new ExpiresFilter will let you set the > Cache-Control-Header to that necessary value (other than max-age=0). > > From my experience and the long history of many different browsers using > different headers, the one header will maybe solve a vulnscan issue but > not the compatibility with "all" browsers. > > Peter > > > > > > On Wed, Feb 20, 2019 at 3:28 AM Peter@Kreuser-Online > > <l...@kreuser.name> > > wrote: > > > >> Hi Nitin, > >> > >> Per se this can be done by enabling the > >> org.apache.catalina.filters.HttpHeaderSecurityFilter > >> in the global or your webapp‘s web.xml > >> > >> For CSP you should write your own Filter. > >> > >> Beware though that Content Security Policy is nothing that can be > >> enabled > >> without application knowhow, the right settings for your needs and > >> intensive testing. You may really break inline Javascript in your > >> pages > >> (css too). > >> > >> Please check out the great websites of Scott Helme on the Headers > >> https://Securityheaders.io or > >> https://scotthelme.co.uk/csp-cheat-sheet/ > >> > >> > >> Peter > >> > >> > Am 19.02.2019 um 19:13 schrieb Nitin Kadam <nitinkadam1...@gmail.com > >: > >> > > >> > Hello Team > >> > > >> > Need help to enable below security headers in Apache tomcat 7.0.79 > >> > Operating system is windows 2012 R2 > >> > > >> > 1. Content security headers > >> > 2. HSTS header > >> > > >> > Regards > >> > Nitin > >> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > -- Regards Nitin Kadam (9967688959)