Hello , We dint have any reverse proxy in middle layers and we have added filters in web.config only, Please find attached snaps of same. i am new to tomcat so didnt able to understand all terms.
On Wed, Feb 27, 2019 at 9:20 PM logo <l...@kreuser.name> wrote: > > > Hello Nitin, > > Am 27.02.2019 16:34, schrieb Nitin Kadam: > > > Hello Team, > > > > I have added below given filter and restarted tomcat service still it > shows Cache Control as private. > > Please help me on same. > > Pictures are stripped off the mailing list. so better send us text logs. > > > Nevertheless I told you before, the Cache-Control header may come from > your webapp. So you have to check the web.xml of the app for a possible > filter. Maybe it's also in the framework or the servlets itself. What is > happening if you request a resource from another context? > If it is set in the app, then possibly nothing in tomcat will be able to > remove it from the response (maybe a reverse proxy like apache or > nginx). > > Hope this helps. > > Peter > > > On Wed, Feb 27, 2019 at 2:54 PM logo <l...@kreuser.name> wrote: > > > >> Hi Nitin, > >> > >> Am 27.02.2019 10:11, schrieb Nitin Kadam: > >>> Sorry for typo in earlier email, i was saying about ExpiresFilter only > >>> > >>> so how do i add this filter and failter mapping , Do i need to add > >>> both in existing <filter-name>httpHeaderSecurity</filter-name> > >>> > >>> > >>> <filter> > >>> <filter-name>ExpiresFilter</filter-name> > >>> > >>> <filter-class>org.apache.catalina.filters.ExpiresFilter</filter-class> > >>> <init-param> > >>> <param-name>ExpiresByType image</param-name> > >>> <param-value>access plus 10 days</param-value> > >>> </init-param> > >>> <init-param> > >>> <param-name>ExpiresByType text/css</param-name> > >>> <param-value>access plus 10 hours</param-value> > >>> </init-param> > >>> <init-param> > >>> <param-name>ExpiresByType application/javascript</param-name> > >>> <param-value>access plus 10 minutes</param-value> > >>> </init-param> > >>> <!-- Let everything else expire immediately --> > >>> <init-param> > >>> <param-name>ExpiresDefault</param-name> > >>> <param-value>access plus 0 seconds</param-value> > >>> </init-param></filter> > >> > >> this is an extra entry. I don't know if you should really put this in > >> the global web.xml or rather in your applications web.xml. Maybe Mark > >> can let us know more about possible consequences? > >> > >> Add the <filter>...</filter> AND the <filter-mapping>!!! > >> > >> Peter > >> > >>> > >>> > >>> On Wed, Feb 27, 2019 at 1:59 PM logo <l...@kreuser.name> wrote: > >>> > >>>> Hello Nitin, > >>>> > >>>> Am 27.02.2019 08:52, schrieb Nitin Kadam: > >>>>> Hello, > >>>>> > >>>>> > >>>>> > >>>>> How can i change "Cache Control -private: to "Cache-Control: nostore" > >>>>> > >>>>> i searched and found that need to add express filters in web config > but > >>>>> not > >>>>> sure on where to add in filters. > >>>>> > >>>>> can you please guide me on same? > >>>>> > >>>> > >>>> as far as I can tell, that Header is already set by your application - > >>>> Tomcat will not set it by default. Not to "private" for sure. > >>>> So it may be necessary to change that in your config, maybe even code. > >>>> > >>>> Usually you would have to implement a CacheControl filter like the one > >>>> mentioned here at stackoverflow > >>>> https://stackoverflow.com/questions/2876250/tomcat-cache-control [1] > >>>> > >>>> I don't know if the new ExpiresFilter will let you set the > >>>> Cache-Control-Header to that necessary value (other than max-age=0). > >>>> > >>>> From my experience and the long history of many different browsers > >>>> using > >>>> different headers, the one header will maybe solve a vulnscan issue > >>>> but > >>>> not the compatibility with "all" browsers. > >>>> > >>>> Peter > >>>> > >>>> > >>>>> > >>>>> On Wed, Feb 20, 2019 at 3:28 AM Peter@Kreuser-Online > >>>>> <l...@kreuser.name> > >>>>> wrote: > >>>>> > >>>>>> Hi Nitin, > >>>>>> > >>>>>> Per se this can be done by enabling the > >>>>>> org.apache.catalina.filters.HttpHeaderSecurityFilter > >>>>>> in the global or your webapp's web.xml > >>>>>> > >>>>>> For CSP you should write your own Filter. > >>>>>> > >>>>>> Beware though that Content Security Policy is nothing that can be > >>>>>> enabled > >>>>>> without application knowhow, the right settings for your needs and > >>>>>> intensive testing. You may really break inline Javascript in your > >>>>>> pages > >>>>>> (css too). > >>>>>> > >>>>>> Please check out the great websites of Scott Helme on the Headers > >>>>>> https://Securityheaders.io [2] or > >>>>>> https://scotthelme.co.uk/csp-cheat-sheet/ [3] > >>>>>> > >>>>>> > >>>>>> Peter > >>>>>> > >>>>>> > Am 19.02.2019 um 19:13 schrieb Nitin Kadam < > nitinkadam1...@gmail.com > >>>>>: > >>>>>> > > >>>>>> > Hello Team > >>>>>> > > >>>>>> > Need help to enable below security headers in Apache tomcat 7.0.79 > >>>>>> > Operating system is windows 2012 R2 > >>>>>> > > >>>>>> > 1. Content security headers > >>>>>> > 2. HSTS header > >>>>>> > > >>>>>> > Regards > >>>>>> > Nitin > >>>>>> > >>>> > >>>> --------------------------------------------------------------------- > >>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >>>> For additional commands, e-mail: users-h...@tomcat.apache.org > >>>> > >>>> > >> > >> --------------------------------------------------------------------- > >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >> For additional commands, e-mail: users-h...@tomcat.apache.org > > > > -- > > > > Regards > > Nitin Kadam > > (9967688959) > > > > Links: > ------ > [1] https://stackoverflow.com/questions/2876250/tomcat-cache-control > [2] https://Securityheaders.io > [3] https://scotthelme.co.uk/csp-cheat-sheet/ > -- Regards Nitin Kadam (9967688959)
--------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org