Nitin, sorry for my late reply.
> Am 27.02.2019 um 17:01 schrieb Nitin Kadam <nitinkadam1...@gmail.com>: > > Hello , > > We dint have any reverse proxy in middle layers and we have added filters in > web.config only, Please find attached snaps of same. > i am new to tomcat so didnt able to understand all terms. > Well your added filter will not help, if there is already code in place. To find a possible configuration you may check on your webapp’s web.xml (located in the WEB-INF directory). But that all depends on the webapp... Is this application developed by you/your company or somebody else? You may need help from the developer. Best regards Peter >> On Wed, Feb 27, 2019 at 9:20 PM logo <l...@kreuser.name> wrote: >> >> >> Hello Nitin, >> >> Am 27.02.2019 16:34, schrieb Nitin Kadam: >> >> > Hello Team, >> > >> > I have added below given filter and restarted tomcat service still it >> > shows Cache Control as private. >> > Please help me on same. >> >> Pictures are stripped off the mailing list. so better send us text logs. >> >> >> Nevertheless I told you before, the Cache-Control header may come from >> your webapp. So you have to check the web.xml of the app for a possible >> filter. Maybe it's also in the framework or the servlets itself. What is >> happening if you request a resource from another context? >> If it is set in the app, then possibly nothing in tomcat will be able to >> remove it from the response (maybe a reverse proxy like apache or >> nginx). >> >> Hope this helps. >> >> Peter >> >> > On Wed, Feb 27, 2019 at 2:54 PM logo <l...@kreuser.name> wrote: >> > >> >> Hi Nitin, >> >> >> >> Am 27.02.2019 10:11, schrieb Nitin Kadam: >> >>> Sorry for typo in earlier email, i was saying about ExpiresFilter only >> >>> >> >>> so how do i add this filter and failter mapping , Do i need to add >> >>> both in existing <filter-name>httpHeaderSecurity</filter-name> >> >>> >> >>> >> >>> <filter> >> >>> <filter-name>ExpiresFilter</filter-name> >> >>> >> >>> <filter-class>org.apache.catalina.filters.ExpiresFilter</filter-class> >> >>> <init-param> >> >>> <param-name>ExpiresByType image</param-name> >> >>> <param-value>access plus 10 days</param-value> >> >>> </init-param> >> >>> <init-param> >> >>> <param-name>ExpiresByType text/css</param-name> >> >>> <param-value>access plus 10 hours</param-value> >> >>> </init-param> >> >>> <init-param> >> >>> <param-name>ExpiresByType application/javascript</param-name> >> >>> <param-value>access plus 10 minutes</param-value> >> >>> </init-param> >> >>> <!-- Let everything else expire immediately --> >> >>> <init-param> >> >>> <param-name>ExpiresDefault</param-name> >> >>> <param-value>access plus 0 seconds</param-value> >> >>> </init-param></filter> >> >> >> >> this is an extra entry. I don't know if you should really put this in >> >> the global web.xml or rather in your applications web.xml. Maybe Mark >> >> can let us know more about possible consequences? >> >> >> >> Add the <filter>...</filter> AND the <filter-mapping>!!! >> >> >> >> Peter >> >> >> >>> >> >>> >> >>> On Wed, Feb 27, 2019 at 1:59 PM logo <l...@kreuser.name> wrote: >> >>> >> >>>> Hello Nitin, >> >>>> >> >>>> Am 27.02.2019 08:52, schrieb Nitin Kadam: >> >>>>> Hello, >> >>>>> >> >>>>> >> >>>>> >> >>>>> How can i change "Cache Control -private: to "Cache-Control: nostore" >> >>>>> >> >>>>> i searched and found that need to add express filters in web config but >> >>>>> not >> >>>>> sure on where to add in filters. >> >>>>> >> >>>>> can you please guide me on same? >> >>>>> >> >>>> >> >>>> as far as I can tell, that Header is already set by your application - >> >>>> Tomcat will not set it by default. Not to "private" for sure. >> >>>> So it may be necessary to change that in your config, maybe even code. >> >>>> >> >>>> Usually you would have to implement a CacheControl filter like the one >> >>>> mentioned here at stackoverflow >> >>>> https://stackoverflow.com/questions/2876250/tomcat-cache-control [1] >> >>>> >> >>>> I don't know if the new ExpiresFilter will let you set the >> >>>> Cache-Control-Header to that necessary value (other than max-age=0). >> >>>> >> >>>> From my experience and the long history of many different browsers >> >>>> using >> >>>> different headers, the one header will maybe solve a vulnscan issue >> >>>> but >> >>>> not the compatibility with "all" browsers. >> >>>> >> >>>> Peter >> >>>> >> >>>> >> >>>>> >> >>>>> On Wed, Feb 20, 2019 at 3:28 AM Peter@Kreuser-Online >> >>>>> <l...@kreuser.name> >> >>>>> wrote: >> >>>>> >> >>>>>> Hi Nitin, >> >>>>>> >> >>>>>> Per se this can be done by enabling the >> >>>>>> org.apache.catalina.filters.HttpHeaderSecurityFilter >> >>>>>> in the global or your webapp's web.xml >> >>>>>> >> >>>>>> For CSP you should write your own Filter. >> >>>>>> >> >>>>>> Beware though that Content Security Policy is nothing that can be >> >>>>>> enabled >> >>>>>> without application knowhow, the right settings for your needs and >> >>>>>> intensive testing. You may really break inline Javascript in your >> >>>>>> pages >> >>>>>> (css too). >> >>>>>> >> >>>>>> Please check out the great websites of Scott Helme on the Headers >> >>>>>> https://Securityheaders.io [2] or >> >>>>>> https://scotthelme.co.uk/csp-cheat-sheet/ [3] >> >>>>>> >> >>>>>> >> >>>>>> Peter >> >>>>>> >> >>>>>> > Am 19.02.2019 um 19:13 schrieb Nitin Kadam <nitinkadam1...@gmail.com >> >>>>>: >> >>>>>> > >> >>>>>> > Hello Team >> >>>>>> > >> >>>>>> > Need help to enable below security headers in Apache tomcat 7.0.79 >> >>>>>> > Operating system is windows 2012 R2 >> >>>>>> > >> >>>>>> > 1. Content security headers >> >>>>>> > 2. HSTS header >> >>>>>> > >> >>>>>> > Regards >> >>>>>> > Nitin >> >>>>>> >> >>>> >> >>>> --------------------------------------------------------------------- >> >>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> >>>> For additional commands, e-mail: users-h...@tomcat.apache.org >> >>>> >> >>>> >> >> >> >> --------------------------------------------------------------------- >> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> >> For additional commands, e-mail: users-h...@tomcat.apache.org >> > >> > -- >> > >> > Regards >> > Nitin Kadam >> > (9967688959) >> >> >> >> Links: >> ------ >> [1] https://stackoverflow.com/questions/2876250/tomcat-cache-control >> [2] https://Securityheaders.io >> [3] https://scotthelme.co.uk/csp-cheat-sheet/ > > > -- > Regards > Nitin Kadam > (9967688959) > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org