RE: Security issue involving HTTP response headers

Tue, 01 Oct 2019 23:06:12 -0700 

Tomcat 7.0.63 and above.

Navigate to the tomcat conf directory and open the web.xml with a text editor.

In the filter section of the web.xml add the following filter

<filter>
    <filter-name>httpHeaderSecurity</filter-name>
    
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
    <init-param>
        <param-name>antiClickJackingOption</param-name>
        <param-value>SAMEORIGIN</param-value>
    </init-param>
</filter>

In the filter mapping section of the web.xml add the following.

<filter-mapping>
    <filter-name>httpHeaderSecurity</filter-name>
    <url-pattern>/*</url-pattern>
    <dispatcher>REQUEST</dispatcher>
</filter-mapping>



Dream * Excel * Explore * Inspire
Jon McAlexander
Asst Vice President

Middleware Product Engineering
Enterprise CIO | Platform Services | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

[email protected]


This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.

-----Original Message-----
From: [email protected] <[email protected]> 
Sent: Wednesday, October 2, 2019 12:35 AM
To: Tomcat Users List <[email protected]>
Subject: Security issue involving HTTP response headers

We have a customer who is particularly concerned about security.

We just updated their Tomcat, which solved all the issues coming up in their 
security scan, except for one involving the following HTTP headers:

X-FRAME-OPTIONS
X-XSS-PROTECTION
X-CONTENT-TYPE-OPTIONS

and strict transport security.

The environment is Tomcat 7.0.93, JSSE, running on an AS/400.

Is this something to be fixed in a configuration file, or the webapp, or 
someplace else?
-- 
JHHL

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to