You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Nitin Kadam <ni...@gmail.com> on 2019/10/03 13:54:17 UTC
Content Security policy for Tomcat 8.5
Hell All,
Internal security team recommended to set *Content security policy* header
for Web server as same is not complaint with security standard.
can you please help me setting CSP filters for my Tomcat application hosted
on windows server.
--
Regards
Nitin Kadam
Re: Content Security policy for Tomcat 8.5
Posted by Nitin Kadam <ni...@gmail.com>.
Hello,
Thanks for replying...
My current tomcat version is 8.5.x hosted on windows 2012 R2 server and no
other web server as fronted web server.
CSP values shared with me is : "default-src 'self' 'unsafe-eval'
'unsafe-inline' *.mycompany.com; script-src 'self' 'unsafe-inline'
'unsafe-eval'; img-src 'self' *.mycompany.com data:; connect-src ‘self’ *.
mycompany.com"
I am new to Tomcat setup and able to add headerfilter for other header but
didnt find much help for CSP ones
On Fri, Oct 4, 2019 at 3:08 AM Christopher Schultz <
chris@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Nitin,
>
> On 10/3/19 09:54, Nitin Kadam wrote:
> > Hell All,
> >
> > Internal security team recommended to set *Content security policy*
> > header for Web server as same is not complaint with security
> > standard. can you please help me setting CSP filters for my Tomcat
> > application hosted on windows server.
>
> Do you know the value you want to use for your CSP header?
>
> Enabling the header can be done in a number of ways, including using
> http://tomcat.apache.org/tomcat-9.0-doc/rewrite.html
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
>
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl2WajgACgkQHPApP6U8
> pFg9VxAAuhUwoIwgFmT23ynF/DNJxVaHVcIpu3v6ekHOE59T8mL4wd6s8356nw7G
> tR19Q8S8aiRNiPWIfa9N5Ifis2p9KCJVCxck9PPxzqCVYM2wLaBWIzyoJz3GRQ4S
> hDLdEhGJYEDUY6Oc1LLaa/ZhFz6+cb03NXRtmMT+ynVyO1w3BgL9+DbRhbqdbEd2
> SeFlAQTudakOcHe1nfy5r0pyaoGAVcPp5G6vLLtanWTPSpe2lWlRlW3Y6UAPFYBz
> g2iNoIfsvIUR4sGcHcJXQZZ4hPFCvmOdziCXx1duG3P2ki4HZ11Zn3FyqfexCAwb
> 7Di1f7m0kIZ52b/a6gDagZ5zg3FPKkDw4esW7ml0Bm73va4yD0hmg7Pv/nBIalcI
> hNOl0fxpPnuq/XzfCzZM8ep7MweHD9U0xDnQQ6nVdLz8HjbM0fvUxe375brASGcT
> KuCC3xqLy2xokVwNN+AAi5ccsOB+b5hPzF69XT4DlvZszTuwsYpIFCudfvVY/Zzk
> SSogvNDGF5ERll7xVS6//NguwPfMFzeS7v01AtP+ojf6Bl4c6jEoH8mEgckTaVyR
> R5kX9yeDOwnA2Q8DHOw32R748UcfoErophkGLbqpuS3uHIkQQQA0UuWgFWZHDUfl
> H2DBkFtDmlCLQR4m8F6WCbANsllZvf9LQBfsysCDb66CvMep9wQ=
> =oC/r
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
--
Regards
Nitin Kadam
(9967688959)
Re: Content Security policy for Tomcat 8.5
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Nitin,
On 10/3/19 09:54, Nitin Kadam wrote:
> Hell All,
>
> Internal security team recommended to set *Content security policy*
> header for Web server as same is not complaint with security
> standard. can you please help me setting CSP filters for my Tomcat
> application hosted on windows server.
Do you know the value you want to use for your CSP header?
Enabling the header can be done in a number of ways, including using
http://tomcat.apache.org/tomcat-9.0-doc/rewrite.html
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl2WajgACgkQHPApP6U8
pFg9VxAAuhUwoIwgFmT23ynF/DNJxVaHVcIpu3v6ekHOE59T8mL4wd6s8356nw7G
tR19Q8S8aiRNiPWIfa9N5Ifis2p9KCJVCxck9PPxzqCVYM2wLaBWIzyoJz3GRQ4S
hDLdEhGJYEDUY6Oc1LLaa/ZhFz6+cb03NXRtmMT+ynVyO1w3BgL9+DbRhbqdbEd2
SeFlAQTudakOcHe1nfy5r0pyaoGAVcPp5G6vLLtanWTPSpe2lWlRlW3Y6UAPFYBz
g2iNoIfsvIUR4sGcHcJXQZZ4hPFCvmOdziCXx1duG3P2ki4HZ11Zn3FyqfexCAwb
7Di1f7m0kIZ52b/a6gDagZ5zg3FPKkDw4esW7ml0Bm73va4yD0hmg7Pv/nBIalcI
hNOl0fxpPnuq/XzfCzZM8ep7MweHD9U0xDnQQ6nVdLz8HjbM0fvUxe375brASGcT
KuCC3xqLy2xokVwNN+AAi5ccsOB+b5hPzF69XT4DlvZszTuwsYpIFCudfvVY/Zzk
SSogvNDGF5ERll7xVS6//NguwPfMFzeS7v01AtP+ojf6Bl4c6jEoH8mEgckTaVyR
R5kX9yeDOwnA2Q8DHOw32R748UcfoErophkGLbqpuS3uHIkQQQA0UuWgFWZHDUfl
H2DBkFtDmlCLQR4m8F6WCbANsllZvf9LQBfsysCDb66CvMep9wQ=
=oC/r
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org