Hello Team, I have added below given filter and restarted tomcat service still it shows Cache Control as private. Please help me on same.
[image: image.png] On Wed, Feb 27, 2019 at 2:54 PM logo <l...@kreuser.name> wrote: > Hi Nitin, > > Am 27.02.2019 10:11, schrieb Nitin Kadam: > > Sorry for typo in earlier email, i was saying about ExpiresFilter only > > > > so how do i add this filter and failter mapping , Do i need to add > > both in existing <filter-name>httpHeaderSecurity</filter-name> > > > > > > <filter> > > <filter-name>ExpiresFilter</filter-name> > > > > <filter-class>org.apache.catalina.filters.ExpiresFilter</filter-class> > > <init-param> > > <param-name>ExpiresByType image</param-name> > > <param-value>access plus 10 days</param-value> > > </init-param> > > <init-param> > > <param-name>ExpiresByType text/css</param-name> > > <param-value>access plus 10 hours</param-value> > > </init-param> > > <init-param> > > <param-name>ExpiresByType application/javascript</param-name> > > <param-value>access plus 10 minutes</param-value> > > </init-param> > > <!-- Let everything else expire immediately --> > > <init-param> > > <param-name>ExpiresDefault</param-name> > > <param-value>access plus 0 seconds</param-value> > > </init-param></filter> > > this is an extra entry. I don't know if you should really put this in > the global web.xml or rather in your applications web.xml. Maybe Mark > can let us know more about possible consequences? > > Add the <filter>...</filter> AND the <filter-mapping>!!! > > Peter > > > > > > > > On Wed, Feb 27, 2019 at 1:59 PM logo <l...@kreuser.name> wrote: > > > >> Hello Nitin, > >> > >> Am 27.02.2019 08:52, schrieb Nitin Kadam: > >> > Hello, > >> > > >> > > >> > > >> > How can i change “Cache Control -private: to “Cache-Control: nostore” > >> > > >> > i searched and found that need to add express filters in web config > but > >> > not > >> > sure on where to add in filters. > >> > > >> > can you please guide me on same? > >> > > >> > >> as far as I can tell, that Header is already set by your application - > >> Tomcat will not set it by default. Not to "private" for sure. > >> So it may be necessary to change that in your config, maybe even code. > >> > >> Usually you would have to implement a CacheControl filter like the one > >> mentioned here at stackoverflow > >> https://stackoverflow.com/questions/2876250/tomcat-cache-control > >> > >> I don't know if the new ExpiresFilter will let you set the > >> Cache-Control-Header to that necessary value (other than max-age=0). > >> > >> From my experience and the long history of many different browsers > >> using > >> different headers, the one header will maybe solve a vulnscan issue > >> but > >> not the compatibility with "all" browsers. > >> > >> Peter > >> > >> > >> > > >> > On Wed, Feb 20, 2019 at 3:28 AM Peter@Kreuser-Online > >> > <l...@kreuser.name> > >> > wrote: > >> > > >> >> Hi Nitin, > >> >> > >> >> Per se this can be done by enabling the > >> >> org.apache.catalina.filters.HttpHeaderSecurityFilter > >> >> in the global or your webapp‘s web.xml > >> >> > >> >> For CSP you should write your own Filter. > >> >> > >> >> Beware though that Content Security Policy is nothing that can be > >> >> enabled > >> >> without application knowhow, the right settings for your needs and > >> >> intensive testing. You may really break inline Javascript in your > >> >> pages > >> >> (css too). > >> >> > >> >> Please check out the great websites of Scott Helme on the Headers > >> >> https://Securityheaders.io or > >> >> https://scotthelme.co.uk/csp-cheat-sheet/ > >> >> > >> >> > >> >> Peter > >> >> > >> >> > Am 19.02.2019 um 19:13 schrieb Nitin Kadam < > nitinkadam1...@gmail.com > >> >: > >> >> > > >> >> > Hello Team > >> >> > > >> >> > Need help to enable below security headers in Apache tomcat 7.0.79 > >> >> > Operating system is windows 2012 R2 > >> >> > > >> >> > 1. Content security headers > >> >> > 2. HSTS header > >> >> > > >> >> > Regards > >> >> > Nitin > >> >> > >> > >> --------------------------------------------------------------------- > >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >> For additional commands, e-mail: users-h...@tomcat.apache.org > >> > >> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > -- Regards Nitin Kadam (9967688959)