Hello Nitin,
Am 27.02.2019 16:34, schrieb Nitin Kadam: > Hello Team, > > I have added below given filter and restarted tomcat service still it shows > Cache Control as private. > Please help me on same. Pictures are stripped off the mailing list. so better send us text logs. Nevertheless I told you before, the Cache-Control header may come from your webapp. So you have to check the web.xml of the app for a possible filter. Maybe it's also in the framework or the servlets itself. What is happening if you request a resource from another context? If it is set in the app, then possibly nothing in tomcat will be able to remove it from the response (maybe a reverse proxy like apache or nginx). Hope this helps. Peter > On Wed, Feb 27, 2019 at 2:54 PM logo <l...@kreuser.name> wrote: > >> Hi Nitin, >> >> Am 27.02.2019 10:11, schrieb Nitin Kadam: >>> Sorry for typo in earlier email, i was saying about ExpiresFilter only >>> >>> so how do i add this filter and failter mapping , Do i need to add >>> both in existing <filter-name>httpHeaderSecurity</filter-name> >>> >>> >>> <filter> >>> <filter-name>ExpiresFilter</filter-name> >>> >>> <filter-class>org.apache.catalina.filters.ExpiresFilter</filter-class> >>> <init-param> >>> <param-name>ExpiresByType image</param-name> >>> <param-value>access plus 10 days</param-value> >>> </init-param> >>> <init-param> >>> <param-name>ExpiresByType text/css</param-name> >>> <param-value>access plus 10 hours</param-value> >>> </init-param> >>> <init-param> >>> <param-name>ExpiresByType application/javascript</param-name> >>> <param-value>access plus 10 minutes</param-value> >>> </init-param> >>> <!-- Let everything else expire immediately --> >>> <init-param> >>> <param-name>ExpiresDefault</param-name> >>> <param-value>access plus 0 seconds</param-value> >>> </init-param></filter> >> >> this is an extra entry. I don't know if you should really put this in >> the global web.xml or rather in your applications web.xml. Maybe Mark >> can let us know more about possible consequences? >> >> Add the <filter>...</filter> AND the <filter-mapping>!!! >> >> Peter >> >>> >>> >>> On Wed, Feb 27, 2019 at 1:59 PM logo <l...@kreuser.name> wrote: >>> >>>> Hello Nitin, >>>> >>>> Am 27.02.2019 08:52, schrieb Nitin Kadam: >>>>> Hello, >>>>> >>>>> >>>>> >>>>> How can i change "Cache Control -private: to "Cache-Control: nostore" >>>>> >>>>> i searched and found that need to add express filters in web config but >>>>> not >>>>> sure on where to add in filters. >>>>> >>>>> can you please guide me on same? >>>>> >>>> >>>> as far as I can tell, that Header is already set by your application - >>>> Tomcat will not set it by default. Not to "private" for sure. >>>> So it may be necessary to change that in your config, maybe even code. >>>> >>>> Usually you would have to implement a CacheControl filter like the one >>>> mentioned here at stackoverflow >>>> https://stackoverflow.com/questions/2876250/tomcat-cache-control [1] >>>> >>>> I don't know if the new ExpiresFilter will let you set the >>>> Cache-Control-Header to that necessary value (other than max-age=0). >>>> >>>> From my experience and the long history of many different browsers >>>> using >>>> different headers, the one header will maybe solve a vulnscan issue >>>> but >>>> not the compatibility with "all" browsers. >>>> >>>> Peter >>>> >>>> >>>>> >>>>> On Wed, Feb 20, 2019 at 3:28 AM Peter@Kreuser-Online >>>>> <l...@kreuser.name> >>>>> wrote: >>>>> >>>>>> Hi Nitin, >>>>>> >>>>>> Per se this can be done by enabling the >>>>>> org.apache.catalina.filters.HttpHeaderSecurityFilter >>>>>> in the global or your webapp's web.xml >>>>>> >>>>>> For CSP you should write your own Filter. >>>>>> >>>>>> Beware though that Content Security Policy is nothing that can be >>>>>> enabled >>>>>> without application knowhow, the right settings for your needs and >>>>>> intensive testing. You may really break inline Javascript in your >>>>>> pages >>>>>> (css too). >>>>>> >>>>>> Please check out the great websites of Scott Helme on the Headers >>>>>> https://Securityheaders.io [2] or >>>>>> https://scotthelme.co.uk/csp-cheat-sheet/ [3] >>>>>> >>>>>> >>>>>> Peter >>>>>> >>>>>> > Am 19.02.2019 um 19:13 schrieb Nitin Kadam <nitinkadam1...@gmail.com >>>>>: >>>>>> > >>>>>> > Hello Team >>>>>> > >>>>>> > Need help to enable below security headers in Apache tomcat 7.0.79 >>>>>> > Operating system is windows 2012 R2 >>>>>> > >>>>>> > 1. Content security headers >>>>>> > 2. HSTS header >>>>>> > >>>>>> > Regards >>>>>> > Nitin >>>>>> >>>> >>>> --------------------------------------------------------------------- >>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>>> For additional commands, e-mail: users-h...@tomcat.apache.org >>>> >>>> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org > > -- > > Regards > Nitin Kadam > (9967688959) Links: ------ [1] https://stackoverflow.com/questions/2876250/tomcat-cache-control [2] https://Securityheaders.io [3] https://scotthelme.co.uk/csp-cheat-sheet/
