You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2020/11/10 10:22:07 UTC
[tomcat] branch 9.0.x updated: Add HTTP header security filter to
manager, host manager and examples
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/9.0.x by this push:
new 6e232f8 Add HTTP header security filter to manager, host manager and examples
6e232f8 is described below
commit 6e232f825d53abe1406bc9a9b8add67743b3f35d
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Tue Nov 10 10:21:04 2020 +0000
Add HTTP header security filter to manager, host manager and examples
---
webapps/docs/changelog.xml | 4 ++++
webapps/examples/WEB-INF/web.xml | 18 ++++++++++++++++++
webapps/host-manager/WEB-INF/web.xml | 17 +++++++++++++++++
webapps/manager/WEB-INF/web.xml | 17 +++++++++++++++++
4 files changed, 56 insertions(+)
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 168806b..f22e1f1 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -180,6 +180,10 @@
<code>SameSite=strict</code> for all cookies, including session cookies,
created by the application. (markt)
</add>
+ <add>
+ Configure the examples, Manager and Host Manager to use the HTTP header
+ security filter with default settings apart from no HSTS header. (markt)
+ </add>
</changelog>
</subsection>
<subsection name="Other">
diff --git a/webapps/examples/WEB-INF/web.xml b/webapps/examples/WEB-INF/web.xml
index 8f86f5f..9e73861 100644
--- a/webapps/examples/WEB-INF/web.xml
+++ b/webapps/examples/WEB-INF/web.xml
@@ -65,6 +65,18 @@
</init-param>
</filter>
+ <!-- Configured to set X-FRAME-OPTIONS. Disable HSTS in case it -->
+ <!-- interferes with an existing setting. Keep X-Content-Type-Options -->
+ <!-- and X-XSS-Protection as they are page specific. -->
+ <filter>
+ <filter-name>HTTP header security filter</filter-name>
+ <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
+ <init-param>
+ <param-name>hstsEnabled</param-name>
+ <param-value>false</param-value>
+ </init-param>
+ </filter>
+
<!-- Define filter mappings for the timing filters -->
<!--
<filter-mapping>
@@ -87,6 +99,12 @@
</filter-mapping>
-->
+ <!-- Enable header security filter for all requests -->
+ <filter-mapping>
+ <filter-name>HTTP header security filter</filter-name>
+ <url-pattern>/*</url-pattern>
+ </filter-mapping>
+
<!-- Define example application events listeners -->
<listener>
<listener-class>listeners.ContextListener</listener-class>
diff --git a/webapps/host-manager/WEB-INF/web.xml b/webapps/host-manager/WEB-INF/web.xml
index e9faa2c..54d7d4f 100644
--- a/webapps/host-manager/WEB-INF/web.xml
+++ b/webapps/host-manager/WEB-INF/web.xml
@@ -56,11 +56,28 @@
</init-param>
</filter>
+ <!-- Configured to set X-FRAME-OPTIONS. Disable HSTS in case it interferes -->
+ <!-- with an existing setting. Keep X-Content-Type-Options and -->
+ <!-- X-XSS-Protection as they are page specific. -->
+ <filter>
+ <filter-name>HTTP header security filter</filter-name>
+ <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
+ <init-param>
+ <param-name>hstsEnabled</param-name>
+ <param-value>false</param-value>
+ </init-param>
+ </filter>
+
<filter-mapping>
<filter-name>CSRF</filter-name>
<servlet-name>HTMLHostManager</servlet-name>
</filter-mapping>
+ <filter-mapping>
+ <filter-name>HTTP header security filter</filter-name>
+ <url-pattern>/*</url-pattern>
+ </filter-mapping>
+
<!-- Define the Manager Servlet Mapping -->
<servlet-mapping>
<servlet-name>HostManager</servlet-name>
diff --git a/webapps/manager/WEB-INF/web.xml b/webapps/manager/WEB-INF/web.xml
index e73aae0..ac70577 100644
--- a/webapps/manager/WEB-INF/web.xml
+++ b/webapps/manager/WEB-INF/web.xml
@@ -100,11 +100,28 @@
</init-param>
</filter>
+ <!-- Configured to set X-FRAME-OPTIONS. Disable HSTS in case it interferes -->
+ <!-- with an existing setting. Keep X-Content-Type-Options and -->
+ <!-- X-XSS-Protection as they are page specific. -->
+ <filter>
+ <filter-name>HTTP header security filter</filter-name>
+ <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
+ <init-param>
+ <param-name>hstsEnabled</param-name>
+ <param-value>false</param-value>
+ </init-param>
+ </filter>
+
<filter-mapping>
<filter-name>CSRF</filter-name>
<servlet-name>HTMLManager</servlet-name>
</filter-mapping>
+ <filter-mapping>
+ <filter-name>HTTP header security filter</filter-name>
+ <url-pattern>/*</url-pattern>
+ </filter-mapping>
+
<!-- Define a Security Constraint on this Application -->
<!-- NOTE: None of these roles are present in the default users file -->
<security-constraint>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org