Hello Nitin,
Am 27.02.2019 08:52, schrieb Nitin Kadam:
Hello,
How can i change “Cache Control -private: to “Cache-Control: nostore”
i searched and found that need to add express filters in web config but
not
sure on where to add in filters.
can you please guide me on same?
as far as I can tell, that Header is already set by your application -
Tomcat will not set it by default. Not to "private" for sure.
So it may be necessary to change that in your config, maybe even code.
Usually you would have to implement a CacheControl filter like the one
mentioned here at stackoverflow
https://stackoverflow.com/questions/2876250/tomcat-cache-control
I don't know if the new ExpiresFilter will let you set the
Cache-Control-Header to that necessary value (other than max-age=0).
From my experience and the long history of many different browsers using
different headers, the one header will maybe solve a vulnscan issue but
not the compatibility with "all" browsers.
Peter
On Wed, Feb 20, 2019 at 3:28 AM Peter@Kreuser-Online
<l...@kreuser.name>
wrote:
Hi Nitin,
Per se this can be done by enabling the
org.apache.catalina.filters.HttpHeaderSecurityFilter
in the global or your webapp‘s web.xml
For CSP you should write your own Filter.
Beware though that Content Security Policy is nothing that can be
enabled
without application knowhow, the right settings for your needs and
intensive testing. You may really break inline Javascript in your
pages
(css too).
Please check out the great websites of Scott Helme on the Headers
https://Securityheaders.io or
https://scotthelme.co.uk/csp-cheat-sheet/
Peter
> Am 19.02.2019 um 19:13 schrieb Nitin Kadam <nitinkadam1...@gmail.com>:
>
> Hello Team
>
> Need help to enable below security headers in Apache tomcat 7.0.79
> Operating system is windows 2012 R2
>
> 1. Content security headers
> 2. HSTS header
>
> Regards
> Nitin
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
