Hi James,
Peter Kreuser > Am 02.10.2019 um 08:05 schrieb <jonmcalexan...@wellsfargo.com.invalid> > <jonmcalexan...@wellsfargo.com.invalid>: > > Tomcat 7.0.63 and above. > > Navigate to the tomcat conf directory and open the web.xml with a text editor. > > In the filter section of the web.xml add the following filter > > <filter> > <filter-name>httpHeaderSecurity</filter-name> > > <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class> > <init-param> > <param-name>antiClickJackingOption</param-name> > <param-value>SAMEORIGIN</param-value> > </init-param> > </filter> +1 Beware to go with the defaults in a local environment. Set the parameter includesubdomains of HSTS to false, or the browsers will redirect any other subdomain-site to https! Not easy to get rid of this afterwards! If you need different values for the headers (x-frame-options), you may also copy these settings to your webapp‘s web.xml Peter > > In the filter mapping section of the web.xml add the following. > > <filter-mapping> > <filter-name>httpHeaderSecurity</filter-name> > <url-pattern>/*</url-pattern> > <dispatcher>REQUEST</dispatcher> > </filter-mapping> > > > > Dream * Excel * Explore * Inspire > Jon McAlexander > Asst Vice President > > Middleware Product Engineering > Enterprise CIO | Platform Services | Middleware | Infrastructure Solutions > > 8080 Cobblestone Rd | Urbandale, IA 50322 > MAC: F4469-010 > Tel 515-988-2508 | Cell 515-988-2508 > > jonmcalexan...@wellsfargo.com > > > This message may contain confidential and/or privileged information. If you > are not the addressee or authorized to receive this for the addressee, you > must not use, copy, disclose, or take any action based on this message or any > information herein. If you have received this message in error, please advise > the sender immediately by reply e-mail and delete this message. Thank you for > your cooperation. > > -----Original Message----- > From: jam...@touchtonecorp.com <jam...@touchtonecorp.com> > Sent: Wednesday, October 2, 2019 12:35 AM > To: Tomcat Users List <users@tomcat.apache.org> > Subject: Security issue involving HTTP response headers > > We have a customer who is particularly concerned about security. > > We just updated their Tomcat, which solved all the issues coming up in their > security scan, except for one involving the following HTTP headers: > > X-FRAME-OPTIONS > X-XSS-PROTECTION > X-CONTENT-TYPE-OPTIONS > > and strict transport security. > > The environment is Tomcat 7.0.93, JSSE, running on an AS/400. > > Is this something to be fixed in a configuration file, or the webapp, or > someplace else? > -- > JHHL > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > B‹KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKCB•È[œÝXœØÜšX™KK[XZ[ˆ\Ù\œË][œÝXœØÜšX™PÛXØ] > ˜\XÚK›Ü™ÃB‘›ÜˆY][Û˜[ÛÛ[X[™ËK[XZ[ˆ\Ù\œËZ[ÛXØ]˜\XÚK›Ü™ÃBƒ --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org