Re: security headers

2017-11-03 Thread Alejandro Vargas M.

You can help with an example of this url-rewrite to add this header,

Please,

Thanks in advance.


On 11/01/2017 02:03 PM, Christopher Schultz wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Alejandro,

On 11/1/17 3:37 PM, Alejandro Vargas M. wrote:

Hello,

I recently used on web.xml

 httpHeaderSecurity
org.apache.catalina.filters.HttpHeaderSecurityFilter
lter-class>

  true 

 httpHeaderSecurity
/* 

to enable some security headers, but it won't enable Content
Security Policy header. Is there anyway to enable Content Security
Policy at top server level???

What were you expecting that Filter to generate for you? A header
which disables everything? Not terribly useful.

My recommendation would be to use something like url-rewrite[1] to add
headers to every outgoing response. url-rewrite has very similar
capabilities to httpd's mod_headers (and much more, of course).

- -chris

[1] http://tuckey.org/urlrewrite/
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAln6KJkACgkQHPApP6U8
pFjuWRAAilRKahVEge71VBJrhragUyZuKR/uqEwfwpYj9Zq5DzI3I0JT6jwD8kwE
//iuxBgDroVH/Xedn9oiMen9u1wSpf4p4fCQY0xcP99l6QnlgReimEM7Aoi24hTc
WFgYlA2DVsKvmU0qjaI8HQoBrN+n8A+4Qhxu4fj5knNT1Sk1KppYDl/l6bkaI3Lc
oPAvbYJbR2OV9SwCBoKFNjEPZwK9kTZhAr74gbErS/OZHcQAynZjHPcYl4+2K6Uj
98T3VKu6NIif5g3ry6TA9YYe5Dn3DyqBkY6wlAI91gRn7KjESDcJPcCiYglYDHqP
37ZdcP6LPmySFlBaug5E9811lyKIHnkpv/0OTaFM3AH0sulazBvLu38Ea5yeZQFC
CofoYTMAY8KAlfwzKn+3RhTTQA8lmKHF/dVxQBRqP3vbN/+KU1KzqZmn2Q6KoYH+
Lf+gMJjeLE/0/8X9CnTaFPkmg7VbYgGmhGzgFkD85YTswT962L8M5evG1xdHaNiM
ZZDEeYLWC/Cjdqvht3zQ0gvmI35pI1q2K/fnYb+mrV0eIi/rcosz99GQVpTTqS58
wCtIAKLChLuxuWoGp0+1+sI0ugwn9RmsIft34QBM1Us/FxGYc0Ou5VpBHE0JeYG8
G8RjZ+9eonM5ScwPrAZKZ7pd6qfCHY24/OvK6vT4HbRdqJbvWT8=
=j1H+
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




--




Alejandro Vargas Mayorga
/*Gerente Desarrollo C.A. & C.*/
*Tel. 506- 7232-3366*
*Email:**alejandro.var...@kymsolutions.com* 
<mailto:%20alejandro.var...@kymsolutions.com>*

**www.kymsolutions.com* <http://www.kymsolutions.com/>*
Visite nuestra aula virtual! *



security headers

2017-11-01 Thread Alejandro Vargas M.

Hello,

    I recently used on web.xml

   
    httpHeaderSecurity
org.apache.catalina.filters.HttpHeaderSecurityFilter 


    true
    

    
        httpHeaderSecurity
        /*
    

to enable some security headers, but it won't enable Content Security 
Policy header. Is there anyway to enable Content Security Policy at top 
server level???


Thanks in advance.

--


Re: tomcat ssl setup

2017-09-19 Thread Alejandro Vargas M.
Do you see what's on the log files, they can tell you what's the problem 
in. Maybe you can share those files too.


I also saw on line 117 this "|||-->|" Looks like there's left over.



On 09/19/2017 09:31 AM, John Ellis wrote:


I have been trying to setup SSL for tomcat 9.00.M26 on a RHEL (version 
6.4) server for testing purposes. I downloaded & installed Tomcat9 
fine and I get a proper webpage on port 8080 but when I used the 
keytool commands and created a certificate from cacert.org and then 
edited the server.xml file to setup the ssl configuration to run on 
port 8443 I cannot get a webpage on that port; it defaults back to 
port 8080. If I am not providing all the needed info or asking a wrong 
question please forgive me. I am not a programmer. My background is in 
computer hardware. I have just been forced to learn this to support 
two products that we use here in our office; Jira and Confluence. I 
have actually been working on setting them up for an SSL connection on 
a different server. I got Confluence working on a secure port but not 
Jira so my boss suggested troubleshooting the issue by trying to first 
get SSL setup for Tomcat on this other server.


I am providing a copy of the Tomcat9 server.sml file here on a DropBox 
link- https://www.dropbox.com/s/k3l07w9p4n81fas/server.xml?dl=0


Thanks in advance!

John Ellis

405.285.2500 office

United States

bize-logo-rgb-original_Ryan_Revised_portal 
sizecid:image002.jpg@01CECFDA.65B42CD0


http://biz-e.io



--




Alejandro Vargas Mayorga
/*Gerente Desarrollo C.A. & C.*/
*Tel. 506- 7232-3366*
*Email:**alejandro.var...@kymsolutions.com* 
*

**www.kymsolutions.com* *
Visite nuestra aula virtual! *



Session delete

2017-09-07 Thread Alejandro Vargas M.
Is there anyway to delete a session in Tomcat when the user not logout 
correctly from the application, normally they not logged out correctly, 
they just click on the "X" (they said), they click the close button of 
Internet Explorer.


I tried with $(window).unload using JS, but it works on every refresh, 
not when close button on the browser is clicked.



--




Alejandro Vargas Mayorga
/*Gerente Desarrollo C.A. & C.*/
*Tel. 506- 7232-3366*
*Email:**alejandro.var...@kymsolutions.com* 
*

**www.kymsolutions.com* *
Visite nuestra aula virtual! *



web.xml

2017-09-05 Thread Alejandro Vargas M.

Good afternoon,

I have a website on a client, and they ran a vulnerability test, and it 
throws a vulnerability that any user can see web.xml from a web browser,


how can I hide to see web.xml or any other file from the browser?


Thanks.


--




Alejandro Vargas Mayorga
/*Gerente Desarrollo C.A. & C.*/
*Tel. 506- 7232-3366*
*Email:**alejandro.var...@kymsolutions.com* 
*

**www.kymsolutions.com* *
Visite nuestra aula virtual! *