svn commit: r1679716 - in /tomcat/trunk: java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java webapps/docs/config/filter.xml webapps/docs/security-howto.xml

Sat, 16 May 2015 02:37:55 -0700 

Author: markt
Date: Sat May 16 09:37:26 2015
New Revision: 1679716

URL: http://svn.apache.org/r1679716
Log:
set the headers rather than add them
Add header names to the docs and make clear that any existing headers will be 
replaced.
Add the filter tot he security howto

Modified:
    tomcat/trunk/java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java
    tomcat/trunk/webapps/docs/config/filter.xml
    tomcat/trunk/webapps/docs/security-howto.xml

Modified: 
tomcat/trunk/java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java?rev=1679716&r1=1679715&r2=1679716&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java 
(original)
+++ tomcat/trunk/java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java 
Sat May 16 09:37:26 2015
@@ -89,18 +89,18 @@ public class HttpHeaderSecurityFilter ex
 
         // HSTS
         if (hstsEnabled && request.isSecure() && response instanceof 
HttpServletResponse) {
-            ((HttpServletResponse) response).addHeader(HSTS_HEADER_NAME, 
hstsHeaderValue);
+            ((HttpServletResponse) response).setHeader(HSTS_HEADER_NAME, 
hstsHeaderValue);
         }
 
         // anti click-jacking
         if (antiClickJackingEnabled && response instanceof 
HttpServletResponse) {
-            ((HttpServletResponse) response).addHeader(
+            ((HttpServletResponse) response).setHeader(
                     ANTI_CLICK_JACKING_HEADER_NAME, 
antiClickJackingHeaderValue);
         }
 
         // Block content type sniffing
         if (blockContentTypeSniffingEnabled && response instanceof 
HttpServletResponse) {
-            ((HttpServletResponse) 
response).addHeader(BLOCK_CONTENT_TYPE_SNIFFING_HEADER_NAME,
+            ((HttpServletResponse) 
response).setHeader(BLOCK_CONTENT_TYPE_SNIFFING_HEADER_NAME,
                     BLOCK_CONTENT_TYPE_SNIFFING_HEADER_VALUE);
         }
         chain.doFilter(request, response);

Modified: tomcat/trunk/webapps/docs/config/filter.xml
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/filter.xml?rev=1679716&r1=1679715&r2=1679716&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/config/filter.xml (original)
+++ tomcat/trunk/webapps/docs/config/filter.xml Sat May 16 09:37:26 2015
@@ -724,9 +724,11 @@ FINE: Request "/docs/config/manager.html
     <attributes>
 
       <attribute name="hstsEnabled" required="false">
-        <p>Will an HTTP Strict Transport Security (HSTS) header be added to the
-        response. See <a href="http://tools.ietf.org/html/rfc6797";>RFC 6797</a>
-        for further details of HSTS. If not specified, the default value of
+        <p>Will an HTTP Strict Transport Security (HSTS) header
+        (<code>Strict-Transport-Security</code>) be set on the response for
+        secure requests. Any HSTS header already present will be replaced. See
+        <a href="http://tools.ietf.org/html/rfc6797";>RFC 6797</a> for further
+        details of HSTS. If not specified, the default value of
         <code>true</code> will be used.</p>
       </attribute>
 
@@ -743,8 +745,9 @@ FINE: Request "/docs/config/manager.html
       </attribute>
 
       <attribute name="antiClickJackingEnabled" required="false">
-        <p>Should the anti click-jacking <code>X-Frame-Options</code> be added
-        to the response. If not specified, the default value of
+        <p>Should the anti click-jacking header (<code>X-Frame-Options</code>)
+        be set on the response. Any anti click-jacking header already present
+        will be replaced. If not specified, the default value of
         <code>true</code> will be used.</p>
       </attribute>
 
@@ -762,9 +765,10 @@ FINE: Request "/docs/config/manager.html
       </attribute>
 
       <attribute name="blockContentTypeSniffingEnabled" required="false">
-        <p>Should the header that blocks content type sniffing be added to 
every
-        response. If not specified, the default value of <code>true</code> will
-        be used.</p>
+        <p>Should the header that blocks content type sniffing
+        (<code>X-Content-Type-Options</code>) be set on every response. If
+        already present, the header will be replaced. If not specified, the
+        default value of <code>true</code> will be used.</p>
       </attribute>
 
     </attributes>

Modified: tomcat/trunk/webapps/docs/security-howto.xml
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/security-howto.xml?rev=1679716&r1=1679715&r2=1679716&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/security-howto.xml (original)
+++ tomcat/trunk/webapps/docs/security-howto.xml Sat May 16 09:37:26 2015
@@ -468,6 +468,13 @@
     can be configured and used to reject requests that had errors during
     request parameter parsing. Without the filter the default behaviour is
     to ignore invalid or excessive parameters.</p>
+
+    <p><a href="config/filter.html">HttpHeaderSecurityFilter</a> can be
+    used to add headers to responses to improve security. If clients access
+    Tomcat directly, then you probably want to enable this filter and all the
+    headers it sets unless your application is already setting them. If Tomcat
+    is accessed via a reverse proxy, then the configuration of this filter 
needs
+    to be co-ordinated with any headers that the reverse proxy sets.</p>
   </section>
 
   <section name="General">



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to