This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 8.5.x in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/8.5.x by this push: new 6124be5 Add HTTP header security filter to manager, host manager and examples 6124be5 is described below commit 6124be56ea3fee23a9ec3ad8d128a7c93a598c89 Author: Mark Thomas <ma...@apache.org> AuthorDate: Tue Nov 10 10:21:04 2020 +0000 Add HTTP header security filter to manager, host manager and examples --- webapps/docs/changelog.xml | 4 ++++ webapps/examples/WEB-INF/web.xml | 18 ++++++++++++++++++ webapps/host-manager/WEB-INF/web.xml | 17 +++++++++++++++++ webapps/manager/WEB-INF/web.xml | 17 +++++++++++++++++ 4 files changed, 56 insertions(+) diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index 9f4e3cd..6e85ee4 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -128,6 +128,10 @@ <code>SameSite=strict</code> for all cookies, including session cookies, created by the application. (markt) </add> + <add> + Configure the examples, Manager and Host Manager to use the HTTP header + security filter with default settings apart from no HSTS header. (markt) + </add> </changelog> </subsection> <subsection name="Other"> diff --git a/webapps/examples/WEB-INF/web.xml b/webapps/examples/WEB-INF/web.xml index ac4840e..f294e2b 100644 --- a/webapps/examples/WEB-INF/web.xml +++ b/webapps/examples/WEB-INF/web.xml @@ -78,6 +78,18 @@ </init-param> </filter> + <!-- Configured to set X-FRAME-OPTIONS. Disable HSTS in case it --> + <!-- interferes with an existing setting. Keep X-Content-Type-Options --> + <!-- and X-XSS-Protection as they are page specific. --> + <filter> + <filter-name>HTTP header security filter</filter-name> + <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class> + <init-param> + <param-name>hstsEnabled</param-name> + <param-value>false</param-value> + </init-param> + </filter> + <!-- Define filter mappings for the timing filters --> <!-- <filter-mapping> @@ -107,6 +119,12 @@ </filter-mapping> --> + <!-- Enable header security filter for all requests --> + <filter-mapping> + <filter-name>HTTP header security filter</filter-name> + <url-pattern>/*</url-pattern> + </filter-mapping> + <!-- Define example application events listeners --> <listener> <listener-class>listeners.ContextListener</listener-class> diff --git a/webapps/host-manager/WEB-INF/web.xml b/webapps/host-manager/WEB-INF/web.xml index c315546..db785d1 100644 --- a/webapps/host-manager/WEB-INF/web.xml +++ b/webapps/host-manager/WEB-INF/web.xml @@ -68,11 +68,28 @@ </init-param> </filter> + <!-- Configured to set X-FRAME-OPTIONS. Disable HSTS in case it interferes --> + <!-- with an existing setting. Keep X-Content-Type-Options and --> + <!-- X-XSS-Protection as they are page specific. --> + <filter> + <filter-name>HTTP header security filter</filter-name> + <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class> + <init-param> + <param-name>hstsEnabled</param-name> + <param-value>false</param-value> + </init-param> + </filter> + <filter-mapping> <filter-name>CSRF</filter-name> <servlet-name>HTMLHostManager</servlet-name> </filter-mapping> + <filter-mapping> + <filter-name>HTTP header security filter</filter-name> + <url-pattern>/*</url-pattern> + </filter-mapping> + <!-- Define the Manager Servlet Mapping --> <servlet-mapping> <servlet-name>HostManager</servlet-name> diff --git a/webapps/manager/WEB-INF/web.xml b/webapps/manager/WEB-INF/web.xml index d91728e..1a161a7 100644 --- a/webapps/manager/WEB-INF/web.xml +++ b/webapps/manager/WEB-INF/web.xml @@ -112,11 +112,28 @@ </init-param> </filter> + <!-- Configured to set X-FRAME-OPTIONS. Disable HSTS in case it interferes --> + <!-- with an existing setting. Keep X-Content-Type-Options and --> + <!-- X-XSS-Protection as they are page specific. --> + <filter> + <filter-name>HTTP header security filter</filter-name> + <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class> + <init-param> + <param-name>hstsEnabled</param-name> + <param-value>false</param-value> + </init-param> + </filter> + <filter-mapping> <filter-name>CSRF</filter-name> <servlet-name>HTMLManager</servlet-name> </filter-mapping> + <filter-mapping> + <filter-name>HTTP header security filter</filter-name> + <url-pattern>/*</url-pattern> + </filter-mapping> + <!-- Define a Security Constraint on this Application --> <!-- NOTE: None of these roles are present in the default users file --> <security-constraint> --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org