Hi Yemi, You may implement servlet filters to insert these security headers before the responses reaches the client. I hope this helps.
Ike -----Original Message----- From: Olayemi Olatunji <olay...@theobligato.com> Sent: Tuesday, March 26, 2019 3:37 AM To: users@tomcat.apache.org Subject: Setting headers in tomcat 9 ** This mail has been sent from an external source ** Hello, I'm deploying an application on Tomcat 9 which a client has requested we conduct vulnerability test on. The test came back with missing headers for the following: Content-Security-Policy, X-Frame-Options, X-XSS-Protection, X-Content-Type-Options, Referrer-Policy, Feature-Policy. How can this be resolved/patched? Kind regards Olayemi ===================================================== Please refer to http://www.aricent.com/email-disclaimer for important disclosures regarding this electronic communication. ===================================================== --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org