Re: Http insecure headers
Nitin, sorry for my late reply. > Am 27.02.2019 um 17:01 schrieb Nitin Kadam : > > Hello , > > We dint have any reverse proxy in middle layers and we have added filters in > web.config only, Please find attached snaps of same. > i am new to tomcat so didnt able to understand all terms. > Well your added filter will not help, if there is already code in place. To find a possible configuration you may check on your webapp’s web.xml (located in the WEB-INF directory). But that all depends on the webapp... Is this application developed by you/your company or somebody else? You may need help from the developer. Best regards Peter >> On Wed, Feb 27, 2019 at 9:20 PM logo wrote: >> >> >> Hello Nitin, >> >> Am 27.02.2019 16:34, schrieb Nitin Kadam: >> >> > Hello Team, >> > >> > I have added below given filter and restarted tomcat service still it >> > shows Cache Control as private. >> > Please help me on same. >> >> Pictures are stripped off the mailing list. so better send us text logs. >> >> >> Nevertheless I told you before, the Cache-Control header may come from >> your webapp. So you have to check the web.xml of the app for a possible >> filter. Maybe it's also in the framework or the servlets itself. What is >> happening if you request a resource from another context? >> If it is set in the app, then possibly nothing in tomcat will be able to >> remove it from the response (maybe a reverse proxy like apache or >> nginx). >> >> Hope this helps. >> >> Peter >> >> > On Wed, Feb 27, 2019 at 2:54 PM logo wrote: >> > >> >> Hi Nitin, >> >> >> >> Am 27.02.2019 10:11, schrieb Nitin Kadam: >> >>> Sorry for typo in earlier email, i was saying about ExpiresFilter only >> >>> >> >>> so how do i add this filter and failter mapping , Do i need to add >> >>> both in existing httpHeaderSecurity >> >>> >> >>> >> >>> >> >>> ExpiresFilter >> >>> >> >>> org.apache.catalina.filters.ExpiresFilter >> >>> >> >>> ExpiresByType image >> >>> access plus 10 days >> >>> >> >>> >> >>> ExpiresByType text/css >> >>> access plus 10 hours >> >>> >> >>> >> >>> ExpiresByType application/javascript >> >>> access plus 10 minutes >> >>> >> >>> >> >>> >> >>> ExpiresDefault >> >>> access plus 0 seconds >> >>> >> >> >> >> this is an extra entry. I don't know if you should really put this in >> >> the global web.xml or rather in your applications web.xml. Maybe Mark >> >> can let us know more about possible consequences? >> >> >> >> Add the ... AND the !!! >> >> >> >> Peter >> >> >> >>> >> >>> >> >>> On Wed, Feb 27, 2019 at 1:59 PM logo wrote: >> >>> >> Hello Nitin, >> >> Am 27.02.2019 08:52, schrieb Nitin Kadam: >> > Hello, >> > >> > >> > >> > How can i change "Cache Control -private: to "Cache-Control: nostore" >> > >> > i searched and found that need to add express filters in web config but >> > not >> > sure on where to add in filters. >> > >> > can you please guide me on same? >> > >> >> as far as I can tell, that Header is already set by your application - >> Tomcat will not set it by default. Not to "private" for sure. >> So it may be necessary to change that in your config, maybe even code. >> >> Usually you would have to implement a CacheControl filter like the one >> mentioned here at stackoverflow >> https://stackoverflow.com/questions/2876250/tomcat-cache-control [1] >> >> I don't know if the new ExpiresFilter will let you set the >> Cache-Control-Header to that necessary value (other than max-age=0). >> >> From my experience and the long history of many different browsers >> using >> different headers, the one header will maybe solve a vulnscan issue >> but >> not the compatibility with "all" browsers. >> >> Peter >> >> >> > >> > On Wed, Feb 20, 2019 at 3:28 AM Peter@Kreuser-Online >> > >> > wrote: >> > >> >> Hi Nitin, >> >> >> >> Per se this can be done by enabling the >> >> org.apache.catalina.filters.HttpHeaderSecurityFilter >> >> in the global or your webapp's web.xml >> >> >> >> For CSP you should write your own Filter. >> >> >> >> Beware though that Content Security Policy is nothing that can be >> >> enabled >> >> without application knowhow, the right settings for your needs and >> >> intensive testing. You may really break inline Javascript in your >> >> pages >> >> (css too). >> >> >> >> Please check out the great websites of Scott Helme on the Headers >> >> https://Securityheaders.io [2] or >> >> https://scotthelme.co.uk/csp-cheat-sheet/ [3] >> >> >> >> >> >> Peter >> >> >> >> > Am 19.02.2019 um 19:13 schrieb Nitin Kadam > >: >> >> > >> >> > Hello Team >> >> > >> >> > Need help to enable below security headers in Apache tomcat 7.0.79 >> >> > Operating system
Re: Http insecure headers
Hello , We dint have any reverse proxy in middle layers and we have added filters in web.config only, Please find attached snaps of same. i am new to tomcat so didnt able to understand all terms. On Wed, Feb 27, 2019 at 9:20 PM logo wrote: > > > Hello Nitin, > > Am 27.02.2019 16:34, schrieb Nitin Kadam: > > > Hello Team, > > > > I have added below given filter and restarted tomcat service still it > shows Cache Control as private. > > Please help me on same. > > Pictures are stripped off the mailing list. so better send us text logs. > > > Nevertheless I told you before, the Cache-Control header may come from > your webapp. So you have to check the web.xml of the app for a possible > filter. Maybe it's also in the framework or the servlets itself. What is > happening if you request a resource from another context? > If it is set in the app, then possibly nothing in tomcat will be able to > remove it from the response (maybe a reverse proxy like apache or > nginx). > > Hope this helps. > > Peter > > > On Wed, Feb 27, 2019 at 2:54 PM logo wrote: > > > >> Hi Nitin, > >> > >> Am 27.02.2019 10:11, schrieb Nitin Kadam: > >>> Sorry for typo in earlier email, i was saying about ExpiresFilter only > >>> > >>> so how do i add this filter and failter mapping , Do i need to add > >>> both in existing httpHeaderSecurity > >>> > >>> > >>> > >>> ExpiresFilter > >>> > >>> org.apache.catalina.filters.ExpiresFilter > >>> > >>> ExpiresByType image > >>> access plus 10 days > >>> > >>> > >>> ExpiresByType text/css > >>> access plus 10 hours > >>> > >>> > >>> ExpiresByType application/javascript > >>> access plus 10 minutes > >>> > >>> > >>> > >>> ExpiresDefault > >>> access plus 0 seconds > >>> > >> > >> this is an extra entry. I don't know if you should really put this in > >> the global web.xml or rather in your applications web.xml. Maybe Mark > >> can let us know more about possible consequences? > >> > >> Add the ... AND the !!! > >> > >> Peter > >> > >>> > >>> > >>> On Wed, Feb 27, 2019 at 1:59 PM logo wrote: > >>> > Hello Nitin, > > Am 27.02.2019 08:52, schrieb Nitin Kadam: > > Hello, > > > > > > > > How can i change "Cache Control -private: to "Cache-Control: nostore" > > > > i searched and found that need to add express filters in web config > but > > not > > sure on where to add in filters. > > > > can you please guide me on same? > > > > as far as I can tell, that Header is already set by your application - > Tomcat will not set it by default. Not to "private" for sure. > So it may be necessary to change that in your config, maybe even code. > > Usually you would have to implement a CacheControl filter like the one > mentioned here at stackoverflow > https://stackoverflow.com/questions/2876250/tomcat-cache-control [1] > > I don't know if the new ExpiresFilter will let you set the > Cache-Control-Header to that necessary value (other than max-age=0). > > From my experience and the long history of many different browsers > using > different headers, the one header will maybe solve a vulnscan issue > but > not the compatibility with "all" browsers. > > Peter > > > > > > On Wed, Feb 20, 2019 at 3:28 AM Peter@Kreuser-Online > > > > wrote: > > > >> Hi Nitin, > >> > >> Per se this can be done by enabling the > >> org.apache.catalina.filters.HttpHeaderSecurityFilter > >> in the global or your webapp's web.xml > >> > >> For CSP you should write your own Filter. > >> > >> Beware though that Content Security Policy is nothing that can be > >> enabled > >> without application knowhow, the right settings for your needs and > >> intensive testing. You may really break inline Javascript in your > >> pages > >> (css too). > >> > >> Please check out the great websites of Scott Helme on the Headers > >> https://Securityheaders.io [2] or > >> https://scotthelme.co.uk/csp-cheat-sheet/ [3] > >> > >> > >> Peter > >> > >> > Am 19.02.2019 um 19:13 schrieb Nitin Kadam < > nitinkadam1...@gmail.com > >: > >> > > >> > Hello Team > >> > > >> > Need help to enable below security headers in Apache tomcat 7.0.79 > >> > Operating system is windows 2012 R2 > >> > > >> > 1. Content security headers > >> > 2. HSTS header > >> > > >> > Regards > >> > Nitin > >> > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > >> > >> - > >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >> For additional commands, e-mail: users-h...@tomcat.apache.org > > > > --
Re: Http insecure headers
Hello Nitin, Am 27.02.2019 16:34, schrieb Nitin Kadam: > Hello Team, > > I have added below given filter and restarted tomcat service still it shows > Cache Control as private. > Please help me on same. Pictures are stripped off the mailing list. so better send us text logs. Nevertheless I told you before, the Cache-Control header may come from your webapp. So you have to check the web.xml of the app for a possible filter. Maybe it's also in the framework or the servlets itself. What is happening if you request a resource from another context? If it is set in the app, then possibly nothing in tomcat will be able to remove it from the response (maybe a reverse proxy like apache or nginx). Hope this helps. Peter > On Wed, Feb 27, 2019 at 2:54 PM logo wrote: > >> Hi Nitin, >> >> Am 27.02.2019 10:11, schrieb Nitin Kadam: >>> Sorry for typo in earlier email, i was saying about ExpiresFilter only >>> >>> so how do i add this filter and failter mapping , Do i need to add >>> both in existing httpHeaderSecurity >>> >>> >>> >>> ExpiresFilter >>> >>> org.apache.catalina.filters.ExpiresFilter >>> >>> ExpiresByType image >>> access plus 10 days >>> >>> >>> ExpiresByType text/css >>> access plus 10 hours >>> >>> >>> ExpiresByType application/javascript >>> access plus 10 minutes >>> >>> >>> >>> ExpiresDefault >>> access plus 0 seconds >>> >> >> this is an extra entry. I don't know if you should really put this in >> the global web.xml or rather in your applications web.xml. Maybe Mark >> can let us know more about possible consequences? >> >> Add the ... AND the !!! >> >> Peter >> >>> >>> >>> On Wed, Feb 27, 2019 at 1:59 PM logo wrote: >>> Hello Nitin, Am 27.02.2019 08:52, schrieb Nitin Kadam: > Hello, > > > > How can i change "Cache Control -private: to "Cache-Control: nostore" > > i searched and found that need to add express filters in web config but > not > sure on where to add in filters. > > can you please guide me on same? > as far as I can tell, that Header is already set by your application - Tomcat will not set it by default. Not to "private" for sure. So it may be necessary to change that in your config, maybe even code. Usually you would have to implement a CacheControl filter like the one mentioned here at stackoverflow https://stackoverflow.com/questions/2876250/tomcat-cache-control [1] I don't know if the new ExpiresFilter will let you set the Cache-Control-Header to that necessary value (other than max-age=0). From my experience and the long history of many different browsers using different headers, the one header will maybe solve a vulnscan issue but not the compatibility with "all" browsers. Peter > > On Wed, Feb 20, 2019 at 3:28 AM Peter@Kreuser-Online > > wrote: > >> Hi Nitin, >> >> Per se this can be done by enabling the >> org.apache.catalina.filters.HttpHeaderSecurityFilter >> in the global or your webapp's web.xml >> >> For CSP you should write your own Filter. >> >> Beware though that Content Security Policy is nothing that can be >> enabled >> without application knowhow, the right settings for your needs and >> intensive testing. You may really break inline Javascript in your >> pages >> (css too). >> >> Please check out the great websites of Scott Helme on the Headers >> https://Securityheaders.io [2] or >> https://scotthelme.co.uk/csp-cheat-sheet/ [3] >> >> >> Peter >> >> > Am 19.02.2019 um 19:13 schrieb Nitin Kadam : >> > >> > Hello Team >> > >> > Need help to enable below security headers in Apache tomcat 7.0.79 >> > Operating system is windows 2012 R2 >> > >> > 1. Content security headers >> > 2. HSTS header >> > >> > Regards >> > Nitin >> - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org >> >> - >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org > > -- > > Regards > Nitin Kadam > (9967688959) Links: -- [1] https://stackoverflow.com/questions/2876250/tomcat-cache-control [2] https://Securityheaders.io [3] https://scotthelme.co.uk/csp-cheat-sheet/
Re: Http insecure headers
Hello Team, I have added below given filter and restarted tomcat service still it shows Cache Control as private. Please help me on same. [image: image.png] On Wed, Feb 27, 2019 at 2:54 PM logo wrote: > Hi Nitin, > > Am 27.02.2019 10:11, schrieb Nitin Kadam: > > Sorry for typo in earlier email, i was saying about ExpiresFilter only > > > > so how do i add this filter and failter mapping , Do i need to add > > both in existing httpHeaderSecurity > > > > > > > > ExpiresFilter > > > > org.apache.catalina.filters.ExpiresFilter > > > > ExpiresByType image > > access plus 10 days > > > > > > ExpiresByType text/css > > access plus 10 hours > > > > > > ExpiresByType application/javascript > > access plus 10 minutes > > > > > > > > ExpiresDefault > > access plus 0 seconds > > > > this is an extra entry. I don't know if you should really put this in > the global web.xml or rather in your applications web.xml. Maybe Mark > can let us know more about possible consequences? > > Add the ... AND the !!! > > Peter > > > > > > > > On Wed, Feb 27, 2019 at 1:59 PM logo wrote: > > > >> Hello Nitin, > >> > >> Am 27.02.2019 08:52, schrieb Nitin Kadam: > >> > Hello, > >> > > >> > > >> > > >> > How can i change “Cache Control -private: to “Cache-Control: nostore” > >> > > >> > i searched and found that need to add express filters in web config > but > >> > not > >> > sure on where to add in filters. > >> > > >> > can you please guide me on same? > >> > > >> > >> as far as I can tell, that Header is already set by your application - > >> Tomcat will not set it by default. Not to "private" for sure. > >> So it may be necessary to change that in your config, maybe even code. > >> > >> Usually you would have to implement a CacheControl filter like the one > >> mentioned here at stackoverflow > >> https://stackoverflow.com/questions/2876250/tomcat-cache-control > >> > >> I don't know if the new ExpiresFilter will let you set the > >> Cache-Control-Header to that necessary value (other than max-age=0). > >> > >> From my experience and the long history of many different browsers > >> using > >> different headers, the one header will maybe solve a vulnscan issue > >> but > >> not the compatibility with "all" browsers. > >> > >> Peter > >> > >> > >> > > >> > On Wed, Feb 20, 2019 at 3:28 AM Peter@Kreuser-Online > >> > > >> > wrote: > >> > > >> >> Hi Nitin, > >> >> > >> >> Per se this can be done by enabling the > >> >> org.apache.catalina.filters.HttpHeaderSecurityFilter > >> >> in the global or your webapp‘s web.xml > >> >> > >> >> For CSP you should write your own Filter. > >> >> > >> >> Beware though that Content Security Policy is nothing that can be > >> >> enabled > >> >> without application knowhow, the right settings for your needs and > >> >> intensive testing. You may really break inline Javascript in your > >> >> pages > >> >> (css too). > >> >> > >> >> Please check out the great websites of Scott Helme on the Headers > >> >> https://Securityheaders.io or > >> >> https://scotthelme.co.uk/csp-cheat-sheet/ > >> >> > >> >> > >> >> Peter > >> >> > >> >> > Am 19.02.2019 um 19:13 schrieb Nitin Kadam < > nitinkadam1...@gmail.com > >> >: > >> >> > > >> >> > Hello Team > >> >> > > >> >> > Need help to enable below security headers in Apache tomcat 7.0.79 > >> >> > Operating system is windows 2012 R2 > >> >> > > >> >> > 1. Content security headers > >> >> > 2. HSTS header > >> >> > > >> >> > Regards > >> >> > Nitin > >> >> > >> > >> - > >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >> For additional commands, e-mail: users-h...@tomcat.apache.org > >> > >> > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > -- Regards Nitin Kadam (9967688959)
Re: Http insecure headers
Hi Nitin, Am 27.02.2019 10:11, schrieb Nitin Kadam: Sorry for typo in earlier email, i was saying about ExpiresFilter only so how do i add this filter and failter mapping , Do i need to add both in existing httpHeaderSecurity ExpiresFilter org.apache.catalina.filters.ExpiresFilter ExpiresByType image access plus 10 days ExpiresByType text/css access plus 10 hours ExpiresByType application/javascript access plus 10 minutes ExpiresDefault access plus 0 seconds this is an extra entry. I don't know if you should really put this in the global web.xml or rather in your applications web.xml. Maybe Mark can let us know more about possible consequences? Add the ... AND the !!! Peter On Wed, Feb 27, 2019 at 1:59 PM logo wrote: Hello Nitin, Am 27.02.2019 08:52, schrieb Nitin Kadam: > Hello, > > > > How can i change “Cache Control -private: to “Cache-Control: nostore” > > i searched and found that need to add express filters in web config but > not > sure on where to add in filters. > > can you please guide me on same? > as far as I can tell, that Header is already set by your application - Tomcat will not set it by default. Not to "private" for sure. So it may be necessary to change that in your config, maybe even code. Usually you would have to implement a CacheControl filter like the one mentioned here at stackoverflow https://stackoverflow.com/questions/2876250/tomcat-cache-control I don't know if the new ExpiresFilter will let you set the Cache-Control-Header to that necessary value (other than max-age=0). From my experience and the long history of many different browsers using different headers, the one header will maybe solve a vulnscan issue but not the compatibility with "all" browsers. Peter > > On Wed, Feb 20, 2019 at 3:28 AM Peter@Kreuser-Online > > wrote: > >> Hi Nitin, >> >> Per se this can be done by enabling the >> org.apache.catalina.filters.HttpHeaderSecurityFilter >> in the global or your webapp‘s web.xml >> >> For CSP you should write your own Filter. >> >> Beware though that Content Security Policy is nothing that can be >> enabled >> without application knowhow, the right settings for your needs and >> intensive testing. You may really break inline Javascript in your >> pages >> (css too). >> >> Please check out the great websites of Scott Helme on the Headers >> https://Securityheaders.io or >> https://scotthelme.co.uk/csp-cheat-sheet/ >> >> >> Peter >> >> > Am 19.02.2019 um 19:13 schrieb Nitin Kadam : >> > >> > Hello Team >> > >> > Need help to enable below security headers in Apache tomcat 7.0.79 >> > Operating system is windows 2012 R2 >> > >> > 1. Content security headers >> > 2. HSTS header >> > >> > Regards >> > Nitin >> - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Http insecure headers
Sorry for typo in earlier email, i was saying about ExpiresFilter only so how do i add this filter and failter mapping , Do i need to add both in existing httpHeaderSecurity ExpiresFilter org.apache.catalina.filters.ExpiresFilter ExpiresByType image access plus 10 days ExpiresByType text/css access plus 10 hours ExpiresByType application/javascript access plus 10 minutes ExpiresDefault access plus 0 seconds On Wed, Feb 27, 2019 at 1:59 PM logo wrote: > Hello Nitin, > > Am 27.02.2019 08:52, schrieb Nitin Kadam: > > Hello, > > > > > > > > How can i change “Cache Control -private: to “Cache-Control: nostore” > > > > i searched and found that need to add express filters in web config but > > not > > sure on where to add in filters. > > > > can you please guide me on same? > > > > as far as I can tell, that Header is already set by your application - > Tomcat will not set it by default. Not to "private" for sure. > So it may be necessary to change that in your config, maybe even code. > > Usually you would have to implement a CacheControl filter like the one > mentioned here at stackoverflow > https://stackoverflow.com/questions/2876250/tomcat-cache-control > > I don't know if the new ExpiresFilter will let you set the > Cache-Control-Header to that necessary value (other than max-age=0). > > From my experience and the long history of many different browsers using > different headers, the one header will maybe solve a vulnscan issue but > not the compatibility with "all" browsers. > > Peter > > > > > > On Wed, Feb 20, 2019 at 3:28 AM Peter@Kreuser-Online > > > > wrote: > > > >> Hi Nitin, > >> > >> Per se this can be done by enabling the > >> org.apache.catalina.filters.HttpHeaderSecurityFilter > >> in the global or your webapp‘s web.xml > >> > >> For CSP you should write your own Filter. > >> > >> Beware though that Content Security Policy is nothing that can be > >> enabled > >> without application knowhow, the right settings for your needs and > >> intensive testing. You may really break inline Javascript in your > >> pages > >> (css too). > >> > >> Please check out the great websites of Scott Helme on the Headers > >> https://Securityheaders.io or > >> https://scotthelme.co.uk/csp-cheat-sheet/ > >> > >> > >> Peter > >> > >> > Am 19.02.2019 um 19:13 schrieb Nitin Kadam >: > >> > > >> > Hello Team > >> > > >> > Need help to enable below security headers in Apache tomcat 7.0.79 > >> > Operating system is windows 2012 R2 > >> > > >> > 1. Content security headers > >> > 2. HSTS header > >> > > >> > Regards > >> > Nitin > >> > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > -- Regards Nitin Kadam (9967688959)
Re: Http insecure headers
Hello Nitin, Am 27.02.2019 08:52, schrieb Nitin Kadam: Hello, How can i change “Cache Control -private: to “Cache-Control: nostore” i searched and found that need to add express filters in web config but not sure on where to add in filters. can you please guide me on same? as far as I can tell, that Header is already set by your application - Tomcat will not set it by default. Not to "private" for sure. So it may be necessary to change that in your config, maybe even code. Usually you would have to implement a CacheControl filter like the one mentioned here at stackoverflow https://stackoverflow.com/questions/2876250/tomcat-cache-control I don't know if the new ExpiresFilter will let you set the Cache-Control-Header to that necessary value (other than max-age=0). From my experience and the long history of many different browsers using different headers, the one header will maybe solve a vulnscan issue but not the compatibility with "all" browsers. Peter On Wed, Feb 20, 2019 at 3:28 AM Peter@Kreuser-Online wrote: Hi Nitin, Per se this can be done by enabling the org.apache.catalina.filters.HttpHeaderSecurityFilter in the global or your webapp‘s web.xml For CSP you should write your own Filter. Beware though that Content Security Policy is nothing that can be enabled without application knowhow, the right settings for your needs and intensive testing. You may really break inline Javascript in your pages (css too). Please check out the great websites of Scott Helme on the Headers https://Securityheaders.io or https://scotthelme.co.uk/csp-cheat-sheet/ Peter > Am 19.02.2019 um 19:13 schrieb Nitin Kadam : > > Hello Team > > Need help to enable below security headers in Apache tomcat 7.0.79 > Operating system is windows 2012 R2 > > 1. Content security headers > 2. HSTS header > > Regards > Nitin - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Http insecure headers
Hello, How can i change “Cache Control -private: to “Cache-Control: nostore” i searched and found that need to add express filters in web config but not sure on where to add in filters. can you please guide me on same? On Wed, Feb 20, 2019 at 3:28 AM Peter@Kreuser-Online wrote: > Hi Nitin, > > Per se this can be done by enabling the > org.apache.catalina.filters.HttpHeaderSecurityFilter > in the global or your webapp‘s web.xml > > For CSP you should write your own Filter. > > Beware though that Content Security Policy is nothing that can be enabled > without application knowhow, the right settings for your needs and > intensive testing. You may really break inline Javascript in your pages > (css too). > > Please check out the great websites of Scott Helme on the Headers > https://Securityheaders.io or https://scotthelme.co.uk/csp-cheat-sheet/ > > > Peter > > > Am 19.02.2019 um 19:13 schrieb Nitin Kadam : > > > > Hello Team > > > > Need help to enable below security headers in Apache tomcat 7.0.79 > > Operating system is windows 2012 R2 > > > > 1. Content security headers > > 2. HSTS header > > > > Regards > > Nitin > -- Regards Nitin Kadam (9967688959)
Re: Http insecure headers
Hi Nitin, Per se this can be done by enabling the org.apache.catalina.filters.HttpHeaderSecurityFilter in the global or your webapp‘s web.xml For CSP you should write your own Filter. Beware though that Content Security Policy is nothing that can be enabled without application knowhow, the right settings for your needs and intensive testing. You may really break inline Javascript in your pages (css too). Please check out the great websites of Scott Helme on the Headers https://Securityheaders.io or https://scotthelme.co.uk/csp-cheat-sheet/ Peter > Am 19.02.2019 um 19:13 schrieb Nitin Kadam : > > Hello Team > > Need help to enable below security headers in Apache tomcat 7.0.79 > Operating system is windows 2012 R2 > > 1. Content security headers > 2. HSTS header > > Regards > Nitin
Http insecure headers
Hello Team Need help to enable below security headers in Apache tomcat 7.0.79 Operating system is windows 2012 R2 1. Content security headers 2. HSTS header Regards Nitin