Hi Nitin,
Am 27.02.2019 10:11, schrieb Nitin Kadam:
Sorry for typo in earlier email, i was saying about ExpiresFilter only
so how do i add this filter and failter mapping , Do i need to add
both in existing <filter-name>httpHeaderSecurity</filter-name>
<filter>
<filter-name>ExpiresFilter</filter-name>
<filter-class>org.apache.catalina.filters.ExpiresFilter</filter-class>
<init-param>
<param-name>ExpiresByType image</param-name>
<param-value>access plus 10 days</param-value>
</init-param>
<init-param>
<param-name>ExpiresByType text/css</param-name>
<param-value>access plus 10 hours</param-value>
</init-param>
<init-param>
<param-name>ExpiresByType application/javascript</param-name>
<param-value>access plus 10 minutes</param-value>
</init-param>
<!-- Let everything else expire immediately -->
<init-param>
<param-name>ExpiresDefault</param-name>
<param-value>access plus 0 seconds</param-value>
</init-param></filter>
this is an extra entry. I don't know if you should really put this in
the global web.xml or rather in your applications web.xml. Maybe Mark
can let us know more about possible consequences?
Add the <filter>...</filter> AND the <filter-mapping>!!!
Peter
On Wed, Feb 27, 2019 at 1:59 PM logo <l...@kreuser.name> wrote:
Hello Nitin,
Am 27.02.2019 08:52, schrieb Nitin Kadam:
> Hello,
>
>
>
> How can i change “Cache Control -private: to “Cache-Control: nostore”
>
> i searched and found that need to add express filters in web config but
> not
> sure on where to add in filters.
>
> can you please guide me on same?
>
as far as I can tell, that Header is already set by your application -
Tomcat will not set it by default. Not to "private" for sure.
So it may be necessary to change that in your config, maybe even code.
Usually you would have to implement a CacheControl filter like the one
mentioned here at stackoverflow
https://stackoverflow.com/questions/2876250/tomcat-cache-control
I don't know if the new ExpiresFilter will let you set the
Cache-Control-Header to that necessary value (other than max-age=0).
From my experience and the long history of many different browsers
using
different headers, the one header will maybe solve a vulnscan issue
but
not the compatibility with "all" browsers.
Peter
>
> On Wed, Feb 20, 2019 at 3:28 AM Peter@Kreuser-Online
> <l...@kreuser.name>
> wrote:
>
>> Hi Nitin,
>>
>> Per se this can be done by enabling the
>> org.apache.catalina.filters.HttpHeaderSecurityFilter
>> in the global or your webapp‘s web.xml
>>
>> For CSP you should write your own Filter.
>>
>> Beware though that Content Security Policy is nothing that can be
>> enabled
>> without application knowhow, the right settings for your needs and
>> intensive testing. You may really break inline Javascript in your
>> pages
>> (css too).
>>
>> Please check out the great websites of Scott Helme on the Headers
>> https://Securityheaders.io or
>> https://scotthelme.co.uk/csp-cheat-sheet/
>>
>>
>> Peter
>>
>> > Am 19.02.2019 um 19:13 schrieb Nitin Kadam <nitinkadam1...@gmail.com
>:
>> >
>> > Hello Team
>> >
>> > Need help to enable below security headers in Apache tomcat 7.0.79
>> > Operating system is windows 2012 R2
>> >
>> > 1. Content security headers
>> > 2. HSTS header
>> >
>> > Regards
>> > Nitin
>>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
