Author: markt
Date: Sat May 16 09:37:26 2015
New Revision: 1679716
URL: http://svn.apache.org/r1679716
Log:
set the headers rather than add them
Add header names to the docs and make clear that any existing headers will be
replaced.
Add the filter tot he security howto
Modified:
tomcat/trunk/java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java
tomcat/trunk/webapps/docs/config/filter.xml
tomcat/trunk/webapps/docs/security-howto.xml
Modified:
tomcat/trunk/java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java?rev=1679716&r1=1679715&r2=1679716&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java
(original)
+++ tomcat/trunk/java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java
Sat May 16 09:37:26 2015
@@ -89,18 +89,18 @@ public class HttpHeaderSecurityFilter ex
// HSTS
if (hstsEnabled && request.isSecure() && response instanceof
HttpServletResponse) {
- ((HttpServletResponse) response).addHeader(HSTS_HEADER_NAME,
hstsHeaderValue);
+ ((HttpServletResponse) response).setHeader(HSTS_HEADER_NAME,
hstsHeaderValue);
}
// anti click-jacking
if (antiClickJackingEnabled && response instanceof
HttpServletResponse) {
- ((HttpServletResponse) response).addHeader(
+ ((HttpServletResponse) response).setHeader(
ANTI_CLICK_JACKING_HEADER_NAME,
antiClickJackingHeaderValue);
}
// Block content type sniffing
if (blockContentTypeSniffingEnabled && response instanceof
HttpServletResponse) {
- ((HttpServletResponse)
response).addHeader(BLOCK_CONTENT_TYPE_SNIFFING_HEADER_NAME,
+ ((HttpServletResponse)
response).setHeader(BLOCK_CONTENT_TYPE_SNIFFING_HEADER_NAME,
BLOCK_CONTENT_TYPE_SNIFFING_HEADER_VALUE);
}
chain.doFilter(request, response);
Modified: tomcat/trunk/webapps/docs/config/filter.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/filter.xml?rev=1679716&r1=1679715&r2=1679716&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/config/filter.xml (original)
+++ tomcat/trunk/webapps/docs/config/filter.xml Sat May 16 09:37:26 2015
@@ -724,9 +724,11 @@ FINE: Request "/docs/config/manager.html
<attributes>
<attribute name="hstsEnabled" required="false">
- <p>Will an HTTP Strict Transport Security (HSTS) header be added to the
- response. See <a href="http://tools.ietf.org/html/rfc6797";>RFC 6797</a>
- for further details of HSTS. If not specified, the default value of
+ <p>Will an HTTP Strict Transport Security (HSTS) header
+ (<code>Strict-Transport-Security</code>) be set on the response for
+ secure requests. Any HSTS header already present will be replaced. See
+ <a href="http://tools.ietf.org/html/rfc6797";>RFC 6797</a> for further
+ details of HSTS. If not specified, the default value of
<code>true</code> will be used.</p>
</attribute>
@@ -743,8 +745,9 @@ FINE: Request "/docs/config/manager.html
</attribute>
<attribute name="antiClickJackingEnabled" required="false">
- <p>Should the anti click-jacking <code>X-Frame-Options</code> be added
- to the response. If not specified, the default value of
+ <p>Should the anti click-jacking header (<code>X-Frame-Options</code>)
+ be set on the response. Any anti click-jacking header already present
+ will be replaced. If not specified, the default value of
<code>true</code> will be used.</p>
</attribute>
@@ -762,9 +765,10 @@ FINE: Request "/docs/config/manager.html
</attribute>
<attribute name="blockContentTypeSniffingEnabled" required="false">
- <p>Should the header that blocks content type sniffing be added to
every
- response. If not specified, the default value of <code>true</code> will
- be used.</p>
+ <p>Should the header that blocks content type sniffing
+ (<code>X-Content-Type-Options</code>) be set on every response. If
+ already present, the header will be replaced. If not specified, the
+ default value of <code>true</code> will be used.</p>
</attribute>
</attributes>
Modified: tomcat/trunk/webapps/docs/security-howto.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/security-howto.xml?rev=1679716&r1=1679715&r2=1679716&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/security-howto.xml (original)
+++ tomcat/trunk/webapps/docs/security-howto.xml Sat May 16 09:37:26 2015
@@ -468,6 +468,13 @@
can be configured and used to reject requests that had errors during
request parameter parsing. Without the filter the default behaviour is
to ignore invalid or excessive parameters.</p>
+
+ <p><a href="config/filter.html">HttpHeaderSecurityFilter</a> can be
+ used to add headers to responses to improve security. If clients access
+ Tomcat directly, then you probably want to enable this filter and all the
+ headers it sets unless your application is already setting them. If Tomcat
+ is accessed via a reverse proxy, then the configuration of this filter
needs
+ to be co-ordinated with any headers that the reverse proxy sets.</p>
</section>
<section name="General">
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
