[tomcat] branch 8.5.x updated: Add HTTP header security filter to manager, host manager and examples

markt Tue, 10 Nov 2020 02:22:45 -0800

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git



The following commit(s) were added to refs/heads/8.5.x by this push:
     new 6124be5  Add HTTP header security filter to manager, host manager and 
examples
6124be5 is described below

commit 6124be56ea3fee23a9ec3ad8d128a7c93a598c89
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Tue Nov 10 10:21:04 2020 +0000

    Add HTTP header security filter to manager, host manager and examples
---
 webapps/docs/changelog.xml           |  4 ++++
 webapps/examples/WEB-INF/web.xml     | 18 ++++++++++++++++++
 webapps/host-manager/WEB-INF/web.xml | 17 +++++++++++++++++
 webapps/manager/WEB-INF/web.xml      | 17 +++++++++++++++++
 4 files changed, 56 insertions(+)

diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 9f4e3cd..6e85ee4 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -128,6 +128,10 @@
         <code>SameSite=strict</code> for all cookies, including session 
cookies,
         created by the application. (markt)
       </add>
+      <add>
+        Configure the examples, Manager and Host Manager to use the HTTP header
+        security filter with default settings apart from no HSTS header. 
(markt)
+      </add>
     </changelog>
   </subsection>
   <subsection name="Other">
diff --git a/webapps/examples/WEB-INF/web.xml b/webapps/examples/WEB-INF/web.xml
index ac4840e..f294e2b 100644
--- a/webapps/examples/WEB-INF/web.xml
+++ b/webapps/examples/WEB-INF/web.xml
@@ -78,6 +78,18 @@
         </init-param>
     </filter>
 
+    <!-- Configured to set X-FRAME-OPTIONS. Disable HSTS in case it          
-->
+    <!-- interferes with an existing setting. Keep X-Content-Type-Options    
-->
+    <!-- and X-XSS-Protection as they are page specific.                     
-->
+    <filter>
+        <filter-name>HTTP header security filter</filter-name>
+        
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
+        <init-param>
+            <param-name>hstsEnabled</param-name>
+            <param-value>false</param-value>
+        </init-param>
+    </filter>
+
     <!-- Define filter mappings for the timing filters -->
     <!--
     <filter-mapping>
@@ -107,6 +119,12 @@
     </filter-mapping>
 -->
 
+    <!-- Enable header security filter for all requests -->
+    <filter-mapping>
+        <filter-name>HTTP header security filter</filter-name>
+        <url-pattern>/*</url-pattern>
+    </filter-mapping>
+
     <!-- Define example application events listeners -->
     <listener>
         <listener-class>listeners.ContextListener</listener-class>
diff --git a/webapps/host-manager/WEB-INF/web.xml 
b/webapps/host-manager/WEB-INF/web.xml
index c315546..db785d1 100644
--- a/webapps/host-manager/WEB-INF/web.xml
+++ b/webapps/host-manager/WEB-INF/web.xml
@@ -68,11 +68,28 @@
     </init-param>
   </filter>
 
+  <!-- Configured to set X-FRAME-OPTIONS. Disable HSTS in case it interferes 
-->
+  <!-- with an existing setting. Keep X-Content-Type-Options and             
-->
+  <!-- X-XSS-Protection as they are page specific.                           
-->
+  <filter>
+    <filter-name>HTTP header security filter</filter-name>
+    
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
+    <init-param>
+      <param-name>hstsEnabled</param-name>
+      <param-value>false</param-value>
+    </init-param>
+  </filter>
+
   <filter-mapping>
     <filter-name>CSRF</filter-name>
     <servlet-name>HTMLHostManager</servlet-name>
   </filter-mapping>
 
+  <filter-mapping>
+    <filter-name>HTTP header security filter</filter-name>
+    <url-pattern>/*</url-pattern>
+  </filter-mapping>
+
   <!-- Define the Manager Servlet Mapping -->
   <servlet-mapping>
     <servlet-name>HostManager</servlet-name>
diff --git a/webapps/manager/WEB-INF/web.xml b/webapps/manager/WEB-INF/web.xml
index d91728e..1a161a7 100644
--- a/webapps/manager/WEB-INF/web.xml
+++ b/webapps/manager/WEB-INF/web.xml
@@ -112,11 +112,28 @@
     </init-param>
   </filter>
 
+  <!-- Configured to set X-FRAME-OPTIONS. Disable HSTS in case it interferes 
-->
+  <!-- with an existing setting. Keep X-Content-Type-Options and             
-->
+  <!-- X-XSS-Protection as they are page specific.                           
-->
+  <filter>
+    <filter-name>HTTP header security filter</filter-name>
+    
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
+    <init-param>
+      <param-name>hstsEnabled</param-name>
+      <param-value>false</param-value>
+    </init-param>
+  </filter>
+
   <filter-mapping>
     <filter-name>CSRF</filter-name>
     <servlet-name>HTMLManager</servlet-name>
   </filter-mapping>
 
+  <filter-mapping>
+    <filter-name>HTTP header security filter</filter-name>
+    <url-pattern>/*</url-pattern>
+  </filter-mapping>
+
   <!-- Define a Security Constraint on this Application -->
   <!-- NOTE:  None of these roles are present in the default users file -->
   <security-constraint>


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[tomcat] branch 8.5.x updated: Add HTTP header security filter to manager, host manager and examples

Reply via email to