Re: Http insecure headers
Hello , We dint have any reverse proxy in middle layers and we have added filters in web.config only, Please find attached snaps of same. i am new to tomcat so didnt able to understand all terms. On Wed, Feb 27, 2019 at 9:20 PM logo wrote: > > > Hello Nitin, > > Am 27.02.2019 16:34, schrieb Nitin Kadam: > > > Hello Team, > > > > I have added below given filter and restarted tomcat service still it > shows Cache Control as private. > > Please help me on same. > > Pictures are stripped off the mailing list. so better send us text logs. > > > Nevertheless I told you before, the Cache-Control header may come from > your webapp. So you have to check the web.xml of the app for a possible > filter. Maybe it's also in the framework or the servlets itself. What is > happening if you request a resource from another context? > If it is set in the app, then possibly nothing in tomcat will be able to > remove it from the response (maybe a reverse proxy like apache or > nginx). > > Hope this helps. > > Peter > > > On Wed, Feb 27, 2019 at 2:54 PM logo wrote: > > > >> Hi Nitin, > >> > >> Am 27.02.2019 10:11, schrieb Nitin Kadam: > >>> Sorry for typo in earlier email, i was saying about ExpiresFilter only > >>> > >>> so how do i add this filter and failter mapping , Do i need to add > >>> both in existing httpHeaderSecurity > >>> > >>> > >>> > >>> ExpiresFilter > >>> > >>> org.apache.catalina.filters.ExpiresFilter > >>> > >>> ExpiresByType image > >>> access plus 10 days > >>> > >>> > >>> ExpiresByType text/css > >>> access plus 10 hours > >>> > >>> > >>> ExpiresByType application/javascript > >>> access plus 10 minutes > >>> > >>> > >>> > >>> ExpiresDefault > >>> access plus 0 seconds > >>> > >> > >> this is an extra entry. I don't know if you should really put this in > >> the global web.xml or rather in your applications web.xml. Maybe Mark > >> can let us know more about possible consequences? > >> > >> Add the ... AND the !!! > >> > >> Peter > >> > >>> > >>> > >>> On Wed, Feb 27, 2019 at 1:59 PM logo wrote: > >>> > Hello Nitin, > > Am 27.02.2019 08:52, schrieb Nitin Kadam: > > Hello, > > > > > > > > How can i change "Cache Control -private: to "Cache-Control: nostore" > > > > i searched and found that need to add express filters in web config > but > > not > > sure on where to add in filters. > > > > can you please guide me on same? > > > > as far as I can tell, that Header is already set by your application - > Tomcat will not set it by default. Not to "private" for sure. > So it may be necessary to change that in your config, maybe even code. > > Usually you would have to implement a CacheControl filter like the one > mentioned here at stackoverflow > https://stackoverflow.com/questions/2876250/tomcat-cache-control [1] > > I don't know if the new ExpiresFilter will let you set the > Cache-Control-Header to that necessary value (other than max-age=0). > > From my experience and the long history of many different browsers > using > different headers, the one header will maybe solve a vulnscan issue > but > not the compatibility with "all" browsers. > > Peter > > > > > > On Wed, Feb 20, 2019 at 3:28 AM Peter@Kreuser-Online > > > > wrote: > > > >> Hi Nitin, > >> > >> Per se this can be done by enabling the > >> org.apache.catalina.filters.HttpHeaderSecurityFilter > >> in the global or your webapp's web.xml > >> > >> For CSP you should write your own Filter. > >> > >> Beware though that Content Security Policy is nothing that can be > >> enabled > >> without application knowhow, the right settings for your needs and > >> intensive testing. You may really break inline Javascript in your > >> pages > >> (css too). > >> > >> Please check out the great websites of Scott Helme on the Headers > >> https://Securityheaders.io [2] or > >> https://scotthelme.co.uk/csp-cheat-sheet/ [3] > >> > >> > >> Peter > >> > >> > Am 19.02.2019 um 19:13 schrieb Nitin Kadam < > nitinkadam1...@gmail.com > >: > >> > > >> > Hello Team > >> > > >> > Need help to enable below security headers in Apache tomcat 7.0.79 > >> > Operating system is windows 2012 R2 > >> > > >> > 1. Content security headers > >> > 2. HSTS header > >> > > >> > Regards > >> > Nitin > >> > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > >> > >> - > >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >> For additional commands, e-mail: users-h...@tomcat.apache.org > > > >
Re: Http insecure headers
Hello Nitin, Am 27.02.2019 16:34, schrieb Nitin Kadam: > Hello Team, > > I have added below given filter and restarted tomcat service still it shows > Cache Control as private. > Please help me on same. Pictures are stripped off the mailing list. so better send us text logs. Nevertheless I told you before, the Cache-Control header may come from your webapp. So you have to check the web.xml of the app for a possible filter. Maybe it's also in the framework or the servlets itself. What is happening if you request a resource from another context? If it is set in the app, then possibly nothing in tomcat will be able to remove it from the response (maybe a reverse proxy like apache or nginx). Hope this helps. Peter > On Wed, Feb 27, 2019 at 2:54 PM logo wrote: > >> Hi Nitin, >> >> Am 27.02.2019 10:11, schrieb Nitin Kadam: >>> Sorry for typo in earlier email, i was saying about ExpiresFilter only >>> >>> so how do i add this filter and failter mapping , Do i need to add >>> both in existing httpHeaderSecurity >>> >>> >>> >>> ExpiresFilter >>> >>> org.apache.catalina.filters.ExpiresFilter >>> >>> ExpiresByType image >>> access plus 10 days >>> >>> >>> ExpiresByType text/css >>> access plus 10 hours >>> >>> >>> ExpiresByType application/javascript >>> access plus 10 minutes >>> >>> >>> >>> ExpiresDefault >>> access plus 0 seconds >>> >> >> this is an extra entry. I don't know if you should really put this in >> the global web.xml or rather in your applications web.xml. Maybe Mark >> can let us know more about possible consequences? >> >> Add the ... AND the !!! >> >> Peter >> >>> >>> >>> On Wed, Feb 27, 2019 at 1:59 PM logo wrote: >>> Hello Nitin, Am 27.02.2019 08:52, schrieb Nitin Kadam: > Hello, > > > > How can i change "Cache Control -private: to "Cache-Control: nostore" > > i searched and found that need to add express filters in web config but > not > sure on where to add in filters. > > can you please guide me on same? > as far as I can tell, that Header is already set by your application - Tomcat will not set it by default. Not to "private" for sure. So it may be necessary to change that in your config, maybe even code. Usually you would have to implement a CacheControl filter like the one mentioned here at stackoverflow https://stackoverflow.com/questions/2876250/tomcat-cache-control [1] I don't know if the new ExpiresFilter will let you set the Cache-Control-Header to that necessary value (other than max-age=0). From my experience and the long history of many different browsers using different headers, the one header will maybe solve a vulnscan issue but not the compatibility with "all" browsers. Peter > > On Wed, Feb 20, 2019 at 3:28 AM Peter@Kreuser-Online > > wrote: > >> Hi Nitin, >> >> Per se this can be done by enabling the >> org.apache.catalina.filters.HttpHeaderSecurityFilter >> in the global or your webapp's web.xml >> >> For CSP you should write your own Filter. >> >> Beware though that Content Security Policy is nothing that can be >> enabled >> without application knowhow, the right settings for your needs and >> intensive testing. You may really break inline Javascript in your >> pages >> (css too). >> >> Please check out the great websites of Scott Helme on the Headers >> https://Securityheaders.io [2] or >> https://scotthelme.co.uk/csp-cheat-sheet/ [3] >> >> >> Peter >> >> > Am 19.02.2019 um 19:13 schrieb Nitin Kadam : >> > >> > Hello Team >> > >> > Need help to enable below security headers in Apache tomcat 7.0.79 >> > Operating system is windows 2012 R2 >> > >> > 1. Content security headers >> > 2. HSTS header >> > >> > Regards >> > Nitin >> - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org >> >> - >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org > > -- > > Regards > Nitin Kadam > (9967688959) Links: -- [1] https://stackoverflow.com/questions/2876250/tomcat-cache-control [2] https://Securityheaders.io [3] https://scotthelme.co.uk/csp-cheat-sheet/
Re: Http insecure headers
Hello Team, I have added below given filter and restarted tomcat service still it shows Cache Control as private. Please help me on same. [image: image.png] On Wed, Feb 27, 2019 at 2:54 PM logo wrote: > Hi Nitin, > > Am 27.02.2019 10:11, schrieb Nitin Kadam: > > Sorry for typo in earlier email, i was saying about ExpiresFilter only > > > > so how do i add this filter and failter mapping , Do i need to add > > both in existing httpHeaderSecurity > > > > > > > > ExpiresFilter > > > > org.apache.catalina.filters.ExpiresFilter > > > > ExpiresByType image > > access plus 10 days > > > > > > ExpiresByType text/css > > access plus 10 hours > > > > > > ExpiresByType application/javascript > > access plus 10 minutes > > > > > > > > ExpiresDefault > > access plus 0 seconds > > > > this is an extra entry. I don't know if you should really put this in > the global web.xml or rather in your applications web.xml. Maybe Mark > can let us know more about possible consequences? > > Add the ... AND the !!! > > Peter > > > > > > > > On Wed, Feb 27, 2019 at 1:59 PM logo wrote: > > > >> Hello Nitin, > >> > >> Am 27.02.2019 08:52, schrieb Nitin Kadam: > >> > Hello, > >> > > >> > > >> > > >> > How can i change “Cache Control -private: to “Cache-Control: nostore” > >> > > >> > i searched and found that need to add express filters in web config > but > >> > not > >> > sure on where to add in filters. > >> > > >> > can you please guide me on same? > >> > > >> > >> as far as I can tell, that Header is already set by your application - > >> Tomcat will not set it by default. Not to "private" for sure. > >> So it may be necessary to change that in your config, maybe even code. > >> > >> Usually you would have to implement a CacheControl filter like the one > >> mentioned here at stackoverflow > >> https://stackoverflow.com/questions/2876250/tomcat-cache-control > >> > >> I don't know if the new ExpiresFilter will let you set the > >> Cache-Control-Header to that necessary value (other than max-age=0). > >> > >> From my experience and the long history of many different browsers > >> using > >> different headers, the one header will maybe solve a vulnscan issue > >> but > >> not the compatibility with "all" browsers. > >> > >> Peter > >> > >> > >> > > >> > On Wed, Feb 20, 2019 at 3:28 AM Peter@Kreuser-Online > >> > > >> > wrote: > >> > > >> >> Hi Nitin, > >> >> > >> >> Per se this can be done by enabling the > >> >> org.apache.catalina.filters.HttpHeaderSecurityFilter > >> >> in the global or your webapp‘s web.xml > >> >> > >> >> For CSP you should write your own Filter. > >> >> > >> >> Beware though that Content Security Policy is nothing that can be > >> >> enabled > >> >> without application knowhow, the right settings for your needs and > >> >> intensive testing. You may really break inline Javascript in your > >> >> pages > >> >> (css too). > >> >> > >> >> Please check out the great websites of Scott Helme on the Headers > >> >> https://Securityheaders.io or > >> >> https://scotthelme.co.uk/csp-cheat-sheet/ > >> >> > >> >> > >> >> Peter > >> >> > >> >> > Am 19.02.2019 um 19:13 schrieb Nitin Kadam < > nitinkadam1...@gmail.com > >> >: > >> >> > > >> >> > Hello Team > >> >> > > >> >> > Need help to enable below security headers in Apache tomcat 7.0.79 > >> >> > Operating system is windows 2012 R2 > >> >> > > >> >> > 1. Content security headers > >> >> > 2. HSTS header > >> >> > > >> >> > Regards > >> >> > Nitin > >> >> > >> > >> - > >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >> For additional commands, e-mail: users-h...@tomcat.apache.org > >> > >> > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > -- Regards Nitin Kadam (9967688959)
tomcat 8.5.23 can not modify maxconcurrentstream setting
>> See >> https://github.com/apache/tomcat/blob/8.5.x/test/org/apache/coyote/http2/TestHttp2Section_5_1.java#L174 >From what I see in the test a STREAM_REFUSED is returned when a the maxConcurrentStream is set to one. Yet I'd like to understand how this value is changed internally. I think the only difference with my code is the call to the method doHttpUpgrade() which seems to send a GET for upgrade. Does this perform the actual upgrade of the settings? If this is the case where is it implemented?
Re: Http insecure headers
Hi Nitin, Am 27.02.2019 10:11, schrieb Nitin Kadam: Sorry for typo in earlier email, i was saying about ExpiresFilter only so how do i add this filter and failter mapping , Do i need to add both in existing httpHeaderSecurity ExpiresFilter org.apache.catalina.filters.ExpiresFilter ExpiresByType image access plus 10 days ExpiresByType text/css access plus 10 hours ExpiresByType application/javascript access plus 10 minutes ExpiresDefault access plus 0 seconds this is an extra entry. I don't know if you should really put this in the global web.xml or rather in your applications web.xml. Maybe Mark can let us know more about possible consequences? Add the ... AND the !!! Peter On Wed, Feb 27, 2019 at 1:59 PM logo wrote: Hello Nitin, Am 27.02.2019 08:52, schrieb Nitin Kadam: > Hello, > > > > How can i change “Cache Control -private: to “Cache-Control: nostore” > > i searched and found that need to add express filters in web config but > not > sure on where to add in filters. > > can you please guide me on same? > as far as I can tell, that Header is already set by your application - Tomcat will not set it by default. Not to "private" for sure. So it may be necessary to change that in your config, maybe even code. Usually you would have to implement a CacheControl filter like the one mentioned here at stackoverflow https://stackoverflow.com/questions/2876250/tomcat-cache-control I don't know if the new ExpiresFilter will let you set the Cache-Control-Header to that necessary value (other than max-age=0). From my experience and the long history of many different browsers using different headers, the one header will maybe solve a vulnscan issue but not the compatibility with "all" browsers. Peter > > On Wed, Feb 20, 2019 at 3:28 AM Peter@Kreuser-Online > > wrote: > >> Hi Nitin, >> >> Per se this can be done by enabling the >> org.apache.catalina.filters.HttpHeaderSecurityFilter >> in the global or your webapp‘s web.xml >> >> For CSP you should write your own Filter. >> >> Beware though that Content Security Policy is nothing that can be >> enabled >> without application knowhow, the right settings for your needs and >> intensive testing. You may really break inline Javascript in your >> pages >> (css too). >> >> Please check out the great websites of Scott Helme on the Headers >> https://Securityheaders.io or >> https://scotthelme.co.uk/csp-cheat-sheet/ >> >> >> Peter >> >> > Am 19.02.2019 um 19:13 schrieb Nitin Kadam : >> > >> > Hello Team >> > >> > Need help to enable below security headers in Apache tomcat 7.0.79 >> > Operating system is windows 2012 R2 >> > >> > 1. Content security headers >> > 2. HSTS header >> > >> > Regards >> > Nitin >> - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Http insecure headers
Sorry for typo in earlier email, i was saying about ExpiresFilter only so how do i add this filter and failter mapping , Do i need to add both in existing httpHeaderSecurity ExpiresFilter org.apache.catalina.filters.ExpiresFilter ExpiresByType image access plus 10 days ExpiresByType text/css access plus 10 hours ExpiresByType application/javascript access plus 10 minutes ExpiresDefault access plus 0 seconds On Wed, Feb 27, 2019 at 1:59 PM logo wrote: > Hello Nitin, > > Am 27.02.2019 08:52, schrieb Nitin Kadam: > > Hello, > > > > > > > > How can i change “Cache Control -private: to “Cache-Control: nostore” > > > > i searched and found that need to add express filters in web config but > > not > > sure on where to add in filters. > > > > can you please guide me on same? > > > > as far as I can tell, that Header is already set by your application - > Tomcat will not set it by default. Not to "private" for sure. > So it may be necessary to change that in your config, maybe even code. > > Usually you would have to implement a CacheControl filter like the one > mentioned here at stackoverflow > https://stackoverflow.com/questions/2876250/tomcat-cache-control > > I don't know if the new ExpiresFilter will let you set the > Cache-Control-Header to that necessary value (other than max-age=0). > > From my experience and the long history of many different browsers using > different headers, the one header will maybe solve a vulnscan issue but > not the compatibility with "all" browsers. > > Peter > > > > > > On Wed, Feb 20, 2019 at 3:28 AM Peter@Kreuser-Online > > > > wrote: > > > >> Hi Nitin, > >> > >> Per se this can be done by enabling the > >> org.apache.catalina.filters.HttpHeaderSecurityFilter > >> in the global or your webapp‘s web.xml > >> > >> For CSP you should write your own Filter. > >> > >> Beware though that Content Security Policy is nothing that can be > >> enabled > >> without application knowhow, the right settings for your needs and > >> intensive testing. You may really break inline Javascript in your > >> pages > >> (css too). > >> > >> Please check out the great websites of Scott Helme on the Headers > >> https://Securityheaders.io or > >> https://scotthelme.co.uk/csp-cheat-sheet/ > >> > >> > >> Peter > >> > >> > Am 19.02.2019 um 19:13 schrieb Nitin Kadam >: > >> > > >> > Hello Team > >> > > >> > Need help to enable below security headers in Apache tomcat 7.0.79 > >> > Operating system is windows 2012 R2 > >> > > >> > 1. Content security headers > >> > 2. HSTS header > >> > > >> > Regards > >> > Nitin > >> > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > -- Regards Nitin Kadam (9967688959)
RE: tomcat 8.5.23 can not modify maxconcurrentstream setting
>> See >> https://github.com/apache/tomcat/blob/8.5.x/test/org/apache/coyote/http2/TestHttp2Section_5_1.java#L174 >From what I see in the test a STREAM_REFUSED is returned when a the >maxConcurrentStream is set to one. Yet I'd like to understand how this value >is changed internally. I think the only difference with my code is the call to >the method doHttpUpgrade() which seems to send a GET for upgrade. Does this >perform the actual upgrade of the settings? If this is the case where is it >implemented? -Original Message- From: Mark Thomas Sent: martes, 26 de febrero de 2019 13:45 To: users@tomcat.apache.org Subject: Re: tomcat 8.5.23 can not modify maxconcurrentstream setting See https://github.com/apache/tomcat/blob/8.5.x/test/org/apache/coyote/http2/TestHttp2Section_5_1.java#L174 Mark On 26/02/2019 11:01, Helena Carbajo wrote: > I'm trying to modify the value of MaxConcurrentStream for the tomcat server > in order to check that it returns a STREAM_REFUSED when the client uses more > streams, but I don't manage to change the default unlimited value. > > I've been inspecting the tomcat server code with a debugger and I saw it > enters the method protected synchronized void set(Setting setting, Long > value) from the org.apache.coyote.http2.ConnectionSettingsLocal.java class > to change the value for maxConcurrentStream. Yet, if I'm not wrong, it only > modifies the pending hashSet not the current one, which is the one that is > checked later on to determine if it is lower than the clients' active streams > and therefore send the STREAM_REFUSED code. > > > > I'm not sure if I'm not modifying the value correctly. I use the > Http2Protocol's method setMaxConcurrentStreams to set the value and then add > the Http2Protocol to the connector(addUpgradeProtocol). > > > > I'd be grateful if someone could give me a hint of what is going on or what > I'm doing wrong. Thank you! > > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Http insecure headers
Hello Nitin, Am 27.02.2019 08:52, schrieb Nitin Kadam: Hello, How can i change “Cache Control -private: to “Cache-Control: nostore” i searched and found that need to add express filters in web config but not sure on where to add in filters. can you please guide me on same? as far as I can tell, that Header is already set by your application - Tomcat will not set it by default. Not to "private" for sure. So it may be necessary to change that in your config, maybe even code. Usually you would have to implement a CacheControl filter like the one mentioned here at stackoverflow https://stackoverflow.com/questions/2876250/tomcat-cache-control I don't know if the new ExpiresFilter will let you set the Cache-Control-Header to that necessary value (other than max-age=0). From my experience and the long history of many different browsers using different headers, the one header will maybe solve a vulnscan issue but not the compatibility with "all" browsers. Peter On Wed, Feb 20, 2019 at 3:28 AM Peter@Kreuser-Online wrote: Hi Nitin, Per se this can be done by enabling the org.apache.catalina.filters.HttpHeaderSecurityFilter in the global or your webapp‘s web.xml For CSP you should write your own Filter. Beware though that Content Security Policy is nothing that can be enabled without application knowhow, the right settings for your needs and intensive testing. You may really break inline Javascript in your pages (css too). Please check out the great websites of Scott Helme on the Headers https://Securityheaders.io or https://scotthelme.co.uk/csp-cheat-sheet/ Peter > Am 19.02.2019 um 19:13 schrieb Nitin Kadam : > > Hello Team > > Need help to enable below security headers in Apache tomcat 7.0.79 > Operating system is windows 2012 R2 > > 1. Content security headers > 2. HSTS header > > Regards > Nitin - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org