You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Nitin Kadam <ni...@gmail.com> on 2019/02/19 18:13:56 UTC
Http insecure headers
Hello Team
Need help to enable below security headers in Apache tomcat 7.0.79
Operating system is windows 2012 R2
1. Content security headers
2. HSTS header
Regards
Nitin
Re: Http insecure headers
Posted by "Peter@Kreuser-Online" <lo...@kreuser.name>.
Nitin,
sorry for my late reply.
> Am 27.02.2019 um 17:01 schrieb Nitin Kadam <ni...@gmail.com>:
>
> Hello ,
>
> We dint have any reverse proxy in middle layers and we have added filters in web.config only, Please find attached snaps of same.
> i am new to tomcat so didnt able to understand all terms.
>
Well your added filter will not help, if there is already code in place.
To find a possible configuration you may check on your webapp’s web.xml (located in the WEB-INF directory). But that all depends on the webapp...
Is this application developed by you/your company or somebody else? You may need help from the developer.
Best regards
Peter
>> On Wed, Feb 27, 2019 at 9:20 PM logo <lo...@kreuser.name> wrote:
>>
>>
>> Hello Nitin,
>>
>> Am 27.02.2019 16:34, schrieb Nitin Kadam:
>>
>> > Hello Team,
>> >
>> > I have added below given filter and restarted tomcat service still it shows Cache Control as private.
>> > Please help me on same.
>>
>> Pictures are stripped off the mailing list. so better send us text logs.
>>
>>
>> Nevertheless I told you before, the Cache-Control header may come from
>> your webapp. So you have to check the web.xml of the app for a possible
>> filter. Maybe it's also in the framework or the servlets itself. What is
>> happening if you request a resource from another context?
>> If it is set in the app, then possibly nothing in tomcat will be able to
>> remove it from the response (maybe a reverse proxy like apache or
>> nginx).
>>
>> Hope this helps.
>>
>> Peter
>>
>> > On Wed, Feb 27, 2019 at 2:54 PM logo <lo...@kreuser.name> wrote:
>> >
>> >> Hi Nitin,
>> >>
>> >> Am 27.02.2019 10:11, schrieb Nitin Kadam:
>> >>> Sorry for typo in earlier email, i was saying about ExpiresFilter only
>> >>>
>> >>> so how do i add this filter and failter mapping , Do i need to add
>> >>> both in existing <filter-name>httpHeaderSecurity</filter-name>
>> >>>
>> >>>
>> >>> <filter>
>> >>> <filter-name>ExpiresFilter</filter-name>
>> >>>
>> >>> <filter-class>org.apache.catalina.filters.ExpiresFilter</filter-class>
>> >>> <init-param>
>> >>> <param-name>ExpiresByType image</param-name>
>> >>> <param-value>access plus 10 days</param-value>
>> >>> </init-param>
>> >>> <init-param>
>> >>> <param-name>ExpiresByType text/css</param-name>
>> >>> <param-value>access plus 10 hours</param-value>
>> >>> </init-param>
>> >>> <init-param>
>> >>> <param-name>ExpiresByType application/javascript</param-name>
>> >>> <param-value>access plus 10 minutes</param-value>
>> >>> </init-param>
>> >>> <!-- Let everything else expire immediately -->
>> >>> <init-param>
>> >>> <param-name>ExpiresDefault</param-name>
>> >>> <param-value>access plus 0 seconds</param-value>
>> >>> </init-param></filter>
>> >>
>> >> this is an extra entry. I don't know if you should really put this in
>> >> the global web.xml or rather in your applications web.xml. Maybe Mark
>> >> can let us know more about possible consequences?
>> >>
>> >> Add the <filter>...</filter> AND the <filter-mapping>!!!
>> >>
>> >> Peter
>> >>
>> >>>
>> >>>
>> >>> On Wed, Feb 27, 2019 at 1:59 PM logo <lo...@kreuser.name> wrote:
>> >>>
>> >>>> Hello Nitin,
>> >>>>
>> >>>> Am 27.02.2019 08:52, schrieb Nitin Kadam:
>> >>>>> Hello,
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>> How can i change "Cache Control -private: to "Cache-Control: nostore"
>> >>>>>
>> >>>>> i searched and found that need to add express filters in web config but
>> >>>>> not
>> >>>>> sure on where to add in filters.
>> >>>>>
>> >>>>> can you please guide me on same?
>> >>>>>
>> >>>>
>> >>>> as far as I can tell, that Header is already set by your application -
>> >>>> Tomcat will not set it by default. Not to "private" for sure.
>> >>>> So it may be necessary to change that in your config, maybe even code.
>> >>>>
>> >>>> Usually you would have to implement a CacheControl filter like the one
>> >>>> mentioned here at stackoverflow
>> >>>> https://stackoverflow.com/questions/2876250/tomcat-cache-control [1]
>> >>>>
>> >>>> I don't know if the new ExpiresFilter will let you set the
>> >>>> Cache-Control-Header to that necessary value (other than max-age=0).
>> >>>>
>> >>>> From my experience and the long history of many different browsers
>> >>>> using
>> >>>> different headers, the one header will maybe solve a vulnscan issue
>> >>>> but
>> >>>> not the compatibility with "all" browsers.
>> >>>>
>> >>>> Peter
>> >>>>
>> >>>>
>> >>>>>
>> >>>>> On Wed, Feb 20, 2019 at 3:28 AM Peter@Kreuser-Online
>> >>>>> <lo...@kreuser.name>
>> >>>>> wrote:
>> >>>>>
>> >>>>>> Hi Nitin,
>> >>>>>>
>> >>>>>> Per se this can be done by enabling the
>> >>>>>> org.apache.catalina.filters.HttpHeaderSecurityFilter
>> >>>>>> in the global or your webapp's web.xml
>> >>>>>>
>> >>>>>> For CSP you should write your own Filter.
>> >>>>>>
>> >>>>>> Beware though that Content Security Policy is nothing that can be
>> >>>>>> enabled
>> >>>>>> without application knowhow, the right settings for your needs and
>> >>>>>> intensive testing. You may really break inline Javascript in your
>> >>>>>> pages
>> >>>>>> (css too).
>> >>>>>>
>> >>>>>> Please check out the great websites of Scott Helme on the Headers
>> >>>>>> https://Securityheaders.io [2] or
>> >>>>>> https://scotthelme.co.uk/csp-cheat-sheet/ [3]
>> >>>>>>
>> >>>>>>
>> >>>>>> Peter
>> >>>>>>
>> >>>>>> > Am 19.02.2019 um 19:13 schrieb Nitin Kadam <nitinkadam1982@gmail.com
>> >>>>>:
>> >>>>>> >
>> >>>>>> > Hello Team
>> >>>>>> >
>> >>>>>> > Need help to enable below security headers in Apache tomcat 7.0.79
>> >>>>>> > Operating system is windows 2012 R2
>> >>>>>> >
>> >>>>>> > 1. Content security headers
>> >>>>>> > 2. HSTS header
>> >>>>>> >
>> >>>>>> > Regards
>> >>>>>> > Nitin
>> >>>>>>
>> >>>>
>> >>>> ---------------------------------------------------------------------
>> >>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> >>>> For additional commands, e-mail: users-help@tomcat.apache.org
>> >>>>
>> >>>>
>> >>
>> >> ---------------------------------------------------------------------
>> >> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> >> For additional commands, e-mail: users-help@tomcat.apache.org
>> >
>> > --
>> >
>> > Regards
>> > Nitin Kadam
>> > (9967688959)
>>
>>
>>
>> Links:
>> ------
>> [1] https://stackoverflow.com/questions/2876250/tomcat-cache-control
>> [2] https://Securityheaders.io
>> [3] https://scotthelme.co.uk/csp-cheat-sheet/
>
>
> --
> Regards
> Nitin Kadam
> (9967688959)
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
Re: Http insecure headers
Posted by Nitin Kadam <ni...@gmail.com>.
Hello ,
We dint have any reverse proxy in middle layers and we have added filters
in web.config only, Please find attached snaps of same.
i am new to tomcat so didnt able to understand all terms.
On Wed, Feb 27, 2019 at 9:20 PM logo <lo...@kreuser.name> wrote:
>
>
> Hello Nitin,
>
> Am 27.02.2019 16:34, schrieb Nitin Kadam:
>
> > Hello Team,
> >
> > I have added below given filter and restarted tomcat service still it
> shows Cache Control as private.
> > Please help me on same.
>
> Pictures are stripped off the mailing list. so better send us text logs.
>
>
> Nevertheless I told you before, the Cache-Control header may come from
> your webapp. So you have to check the web.xml of the app for a possible
> filter. Maybe it's also in the framework or the servlets itself. What is
> happening if you request a resource from another context?
> If it is set in the app, then possibly nothing in tomcat will be able to
> remove it from the response (maybe a reverse proxy like apache or
> nginx).
>
> Hope this helps.
>
> Peter
>
> > On Wed, Feb 27, 2019 at 2:54 PM logo <lo...@kreuser.name> wrote:
> >
> >> Hi Nitin,
> >>
> >> Am 27.02.2019 10:11, schrieb Nitin Kadam:
> >>> Sorry for typo in earlier email, i was saying about ExpiresFilter only
> >>>
> >>> so how do i add this filter and failter mapping , Do i need to add
> >>> both in existing <filter-name>httpHeaderSecurity</filter-name>
> >>>
> >>>
> >>> <filter>
> >>> <filter-name>ExpiresFilter</filter-name>
> >>>
> >>> <filter-class>org.apache.catalina.filters.ExpiresFilter</filter-class>
> >>> <init-param>
> >>> <param-name>ExpiresByType image</param-name>
> >>> <param-value>access plus 10 days</param-value>
> >>> </init-param>
> >>> <init-param>
> >>> <param-name>ExpiresByType text/css</param-name>
> >>> <param-value>access plus 10 hours</param-value>
> >>> </init-param>
> >>> <init-param>
> >>> <param-name>ExpiresByType application/javascript</param-name>
> >>> <param-value>access plus 10 minutes</param-value>
> >>> </init-param>
> >>> <!-- Let everything else expire immediately -->
> >>> <init-param>
> >>> <param-name>ExpiresDefault</param-name>
> >>> <param-value>access plus 0 seconds</param-value>
> >>> </init-param></filter>
> >>
> >> this is an extra entry. I don't know if you should really put this in
> >> the global web.xml or rather in your applications web.xml. Maybe Mark
> >> can let us know more about possible consequences?
> >>
> >> Add the <filter>...</filter> AND the <filter-mapping>!!!
> >>
> >> Peter
> >>
> >>>
> >>>
> >>> On Wed, Feb 27, 2019 at 1:59 PM logo <lo...@kreuser.name> wrote:
> >>>
> >>>> Hello Nitin,
> >>>>
> >>>> Am 27.02.2019 08:52, schrieb Nitin Kadam:
> >>>>> Hello,
> >>>>>
> >>>>>
> >>>>>
> >>>>> How can i change "Cache Control -private: to "Cache-Control: nostore"
> >>>>>
> >>>>> i searched and found that need to add express filters in web config
> but
> >>>>> not
> >>>>> sure on where to add in filters.
> >>>>>
> >>>>> can you please guide me on same?
> >>>>>
> >>>>
> >>>> as far as I can tell, that Header is already set by your application -
> >>>> Tomcat will not set it by default. Not to "private" for sure.
> >>>> So it may be necessary to change that in your config, maybe even code.
> >>>>
> >>>> Usually you would have to implement a CacheControl filter like the one
> >>>> mentioned here at stackoverflow
> >>>> https://stackoverflow.com/questions/2876250/tomcat-cache-control [1]
> >>>>
> >>>> I don't know if the new ExpiresFilter will let you set the
> >>>> Cache-Control-Header to that necessary value (other than max-age=0).
> >>>>
> >>>> From my experience and the long history of many different browsers
> >>>> using
> >>>> different headers, the one header will maybe solve a vulnscan issue
> >>>> but
> >>>> not the compatibility with "all" browsers.
> >>>>
> >>>> Peter
> >>>>
> >>>>
> >>>>>
> >>>>> On Wed, Feb 20, 2019 at 3:28 AM Peter@Kreuser-Online
> >>>>> <lo...@kreuser.name>
> >>>>> wrote:
> >>>>>
> >>>>>> Hi Nitin,
> >>>>>>
> >>>>>> Per se this can be done by enabling the
> >>>>>> org.apache.catalina.filters.HttpHeaderSecurityFilter
> >>>>>> in the global or your webapp's web.xml
> >>>>>>
> >>>>>> For CSP you should write your own Filter.
> >>>>>>
> >>>>>> Beware though that Content Security Policy is nothing that can be
> >>>>>> enabled
> >>>>>> without application knowhow, the right settings for your needs and
> >>>>>> intensive testing. You may really break inline Javascript in your
> >>>>>> pages
> >>>>>> (css too).
> >>>>>>
> >>>>>> Please check out the great websites of Scott Helme on the Headers
> >>>>>> https://Securityheaders.io [2] or
> >>>>>> https://scotthelme.co.uk/csp-cheat-sheet/ [3]
> >>>>>>
> >>>>>>
> >>>>>> Peter
> >>>>>>
> >>>>>> > Am 19.02.2019 um 19:13 schrieb Nitin Kadam <
> nitinkadam1982@gmail.com
> >>>>>:
> >>>>>> >
> >>>>>> > Hello Team
> >>>>>> >
> >>>>>> > Need help to enable below security headers in Apache tomcat 7.0.79
> >>>>>> > Operating system is windows 2012 R2
> >>>>>> >
> >>>>>> > 1. Content security headers
> >>>>>> > 2. HSTS header
> >>>>>> >
> >>>>>> > Regards
> >>>>>> > Nitin
> >>>>>>
> >>>>
> >>>> ---------------------------------------------------------------------
> >>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >>>> For additional commands, e-mail: users-help@tomcat.apache.org
> >>>>
> >>>>
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >> For additional commands, e-mail: users-help@tomcat.apache.org
> >
> > --
> >
> > Regards
> > Nitin Kadam
> > (9967688959)
>
>
>
> Links:
> ------
> [1] https://stackoverflow.com/questions/2876250/tomcat-cache-control
> [2] https://Securityheaders.io
> [3] https://scotthelme.co.uk/csp-cheat-sheet/
>
--
Regards
Nitin Kadam
(9967688959)
Re: Http insecure headers
Posted by logo <lo...@kreuser.name>.
Hello Nitin,
Am 27.02.2019 16:34, schrieb Nitin Kadam:
> Hello Team,
>
> I have added below given filter and restarted tomcat service still it shows Cache Control as private.
> Please help me on same.
Pictures are stripped off the mailing list. so better send us text logs.
Nevertheless I told you before, the Cache-Control header may come from
your webapp. So you have to check the web.xml of the app for a possible
filter. Maybe it's also in the framework or the servlets itself. What is
happening if you request a resource from another context?
If it is set in the app, then possibly nothing in tomcat will be able to
remove it from the response (maybe a reverse proxy like apache or
nginx).
Hope this helps.
Peter
> On Wed, Feb 27, 2019 at 2:54 PM logo <lo...@kreuser.name> wrote:
>
>> Hi Nitin,
>>
>> Am 27.02.2019 10:11, schrieb Nitin Kadam:
>>> Sorry for typo in earlier email, i was saying about ExpiresFilter only
>>>
>>> so how do i add this filter and failter mapping , Do i need to add
>>> both in existing <filter-name>httpHeaderSecurity</filter-name>
>>>
>>>
>>> <filter>
>>> <filter-name>ExpiresFilter</filter-name>
>>>
>>> <filter-class>org.apache.catalina.filters.ExpiresFilter</filter-class>
>>> <init-param>
>>> <param-name>ExpiresByType image</param-name>
>>> <param-value>access plus 10 days</param-value>
>>> </init-param>
>>> <init-param>
>>> <param-name>ExpiresByType text/css</param-name>
>>> <param-value>access plus 10 hours</param-value>
>>> </init-param>
>>> <init-param>
>>> <param-name>ExpiresByType application/javascript</param-name>
>>> <param-value>access plus 10 minutes</param-value>
>>> </init-param>
>>> <!-- Let everything else expire immediately -->
>>> <init-param>
>>> <param-name>ExpiresDefault</param-name>
>>> <param-value>access plus 0 seconds</param-value>
>>> </init-param></filter>
>>
>> this is an extra entry. I don't know if you should really put this in
>> the global web.xml or rather in your applications web.xml. Maybe Mark
>> can let us know more about possible consequences?
>>
>> Add the <filter>...</filter> AND the <filter-mapping>!!!
>>
>> Peter
>>
>>>
>>>
>>> On Wed, Feb 27, 2019 at 1:59 PM logo <lo...@kreuser.name> wrote:
>>>
>>>> Hello Nitin,
>>>>
>>>> Am 27.02.2019 08:52, schrieb Nitin Kadam:
>>>>> Hello,
>>>>>
>>>>>
>>>>>
>>>>> How can i change "Cache Control -private: to "Cache-Control: nostore"
>>>>>
>>>>> i searched and found that need to add express filters in web config but
>>>>> not
>>>>> sure on where to add in filters.
>>>>>
>>>>> can you please guide me on same?
>>>>>
>>>>
>>>> as far as I can tell, that Header is already set by your application -
>>>> Tomcat will not set it by default. Not to "private" for sure.
>>>> So it may be necessary to change that in your config, maybe even code.
>>>>
>>>> Usually you would have to implement a CacheControl filter like the one
>>>> mentioned here at stackoverflow
>>>> https://stackoverflow.com/questions/2876250/tomcat-cache-control [1]
>>>>
>>>> I don't know if the new ExpiresFilter will let you set the
>>>> Cache-Control-Header to that necessary value (other than max-age=0).
>>>>
>>>> From my experience and the long history of many different browsers
>>>> using
>>>> different headers, the one header will maybe solve a vulnscan issue
>>>> but
>>>> not the compatibility with "all" browsers.
>>>>
>>>> Peter
>>>>
>>>>
>>>>>
>>>>> On Wed, Feb 20, 2019 at 3:28 AM Peter@Kreuser-Online
>>>>> <lo...@kreuser.name>
>>>>> wrote:
>>>>>
>>>>>> Hi Nitin,
>>>>>>
>>>>>> Per se this can be done by enabling the
>>>>>> org.apache.catalina.filters.HttpHeaderSecurityFilter
>>>>>> in the global or your webapp's web.xml
>>>>>>
>>>>>> For CSP you should write your own Filter.
>>>>>>
>>>>>> Beware though that Content Security Policy is nothing that can be
>>>>>> enabled
>>>>>> without application knowhow, the right settings for your needs and
>>>>>> intensive testing. You may really break inline Javascript in your
>>>>>> pages
>>>>>> (css too).
>>>>>>
>>>>>> Please check out the great websites of Scott Helme on the Headers
>>>>>> https://Securityheaders.io [2] or
>>>>>> https://scotthelme.co.uk/csp-cheat-sheet/ [3]
>>>>>>
>>>>>>
>>>>>> Peter
>>>>>>
>>>>>> > Am 19.02.2019 um 19:13 schrieb Nitin Kadam <nitinkadam1982@gmail.com
>>>>>:
>>>>>> >
>>>>>> > Hello Team
>>>>>> >
>>>>>> > Need help to enable below security headers in Apache tomcat 7.0.79
>>>>>> > Operating system is windows 2012 R2
>>>>>> >
>>>>>> > 1. Content security headers
>>>>>> > 2. HSTS header
>>>>>> >
>>>>>> > Regards
>>>>>> > Nitin
>>>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>
>>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>
> --
>
> Regards
> Nitin Kadam
> (9967688959)
Links:
------
[1] https://stackoverflow.com/questions/2876250/tomcat-cache-control
[2] https://Securityheaders.io
[3] https://scotthelme.co.uk/csp-cheat-sheet/
Re: Http insecure headers
Posted by Nitin Kadam <ni...@gmail.com>.
Hello Team,
I have added below given filter and restarted tomcat service still it
shows Cache Control as private.
Please help me on same.
[image: image.png]
On Wed, Feb 27, 2019 at 2:54 PM logo <lo...@kreuser.name> wrote:
> Hi Nitin,
>
> Am 27.02.2019 10:11, schrieb Nitin Kadam:
> > Sorry for typo in earlier email, i was saying about ExpiresFilter only
> >
> > so how do i add this filter and failter mapping , Do i need to add
> > both in existing <filter-name>httpHeaderSecurity</filter-name>
> >
> >
> > <filter>
> > <filter-name>ExpiresFilter</filter-name>
> >
> > <filter-class>org.apache.catalina.filters.ExpiresFilter</filter-class>
> > <init-param>
> > <param-name>ExpiresByType image</param-name>
> > <param-value>access plus 10 days</param-value>
> > </init-param>
> > <init-param>
> > <param-name>ExpiresByType text/css</param-name>
> > <param-value>access plus 10 hours</param-value>
> > </init-param>
> > <init-param>
> > <param-name>ExpiresByType application/javascript</param-name>
> > <param-value>access plus 10 minutes</param-value>
> > </init-param>
> > <!-- Let everything else expire immediately -->
> > <init-param>
> > <param-name>ExpiresDefault</param-name>
> > <param-value>access plus 0 seconds</param-value>
> > </init-param></filter>
>
> this is an extra entry. I don't know if you should really put this in
> the global web.xml or rather in your applications web.xml. Maybe Mark
> can let us know more about possible consequences?
>
> Add the <filter>...</filter> AND the <filter-mapping>!!!
>
> Peter
>
>
> >
> >
> > On Wed, Feb 27, 2019 at 1:59 PM logo <lo...@kreuser.name> wrote:
> >
> >> Hello Nitin,
> >>
> >> Am 27.02.2019 08:52, schrieb Nitin Kadam:
> >> > Hello,
> >> >
> >> >
> >> >
> >> > How can i change “Cache Control -private: to “Cache-Control: nostore”
> >> >
> >> > i searched and found that need to add express filters in web config
> but
> >> > not
> >> > sure on where to add in filters.
> >> >
> >> > can you please guide me on same?
> >> >
> >>
> >> as far as I can tell, that Header is already set by your application -
> >> Tomcat will not set it by default. Not to "private" for sure.
> >> So it may be necessary to change that in your config, maybe even code.
> >>
> >> Usually you would have to implement a CacheControl filter like the one
> >> mentioned here at stackoverflow
> >> https://stackoverflow.com/questions/2876250/tomcat-cache-control
> >>
> >> I don't know if the new ExpiresFilter will let you set the
> >> Cache-Control-Header to that necessary value (other than max-age=0).
> >>
> >> From my experience and the long history of many different browsers
> >> using
> >> different headers, the one header will maybe solve a vulnscan issue
> >> but
> >> not the compatibility with "all" browsers.
> >>
> >> Peter
> >>
> >>
> >> >
> >> > On Wed, Feb 20, 2019 at 3:28 AM Peter@Kreuser-Online
> >> > <lo...@kreuser.name>
> >> > wrote:
> >> >
> >> >> Hi Nitin,
> >> >>
> >> >> Per se this can be done by enabling the
> >> >> org.apache.catalina.filters.HttpHeaderSecurityFilter
> >> >> in the global or your webapp‘s web.xml
> >> >>
> >> >> For CSP you should write your own Filter.
> >> >>
> >> >> Beware though that Content Security Policy is nothing that can be
> >> >> enabled
> >> >> without application knowhow, the right settings for your needs and
> >> >> intensive testing. You may really break inline Javascript in your
> >> >> pages
> >> >> (css too).
> >> >>
> >> >> Please check out the great websites of Scott Helme on the Headers
> >> >> https://Securityheaders.io or
> >> >> https://scotthelme.co.uk/csp-cheat-sheet/
> >> >>
> >> >>
> >> >> Peter
> >> >>
> >> >> > Am 19.02.2019 um 19:13 schrieb Nitin Kadam <
> nitinkadam1982@gmail.com
> >> >:
> >> >> >
> >> >> > Hello Team
> >> >> >
> >> >> > Need help to enable below security headers in Apache tomcat 7.0.79
> >> >> > Operating system is windows 2012 R2
> >> >> >
> >> >> > 1. Content security headers
> >> >> > 2. HSTS header
> >> >> >
> >> >> > Regards
> >> >> > Nitin
> >> >>
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >> For additional commands, e-mail: users-help@tomcat.apache.org
> >>
> >>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
--
Regards
Nitin Kadam
(9967688959)
Re: Http insecure headers
Posted by logo <lo...@kreuser.name>.
Hi Nitin,
Am 27.02.2019 10:11, schrieb Nitin Kadam:
> Sorry for typo in earlier email, i was saying about ExpiresFilter only
>
> so how do i add this filter and failter mapping , Do i need to add
> both in existing <filter-name>httpHeaderSecurity</filter-name>
>
>
> <filter>
> <filter-name>ExpiresFilter</filter-name>
>
> <filter-class>org.apache.catalina.filters.ExpiresFilter</filter-class>
> <init-param>
> <param-name>ExpiresByType image</param-name>
> <param-value>access plus 10 days</param-value>
> </init-param>
> <init-param>
> <param-name>ExpiresByType text/css</param-name>
> <param-value>access plus 10 hours</param-value>
> </init-param>
> <init-param>
> <param-name>ExpiresByType application/javascript</param-name>
> <param-value>access plus 10 minutes</param-value>
> </init-param>
> <!-- Let everything else expire immediately -->
> <init-param>
> <param-name>ExpiresDefault</param-name>
> <param-value>access plus 0 seconds</param-value>
> </init-param></filter>
this is an extra entry. I don't know if you should really put this in
the global web.xml or rather in your applications web.xml. Maybe Mark
can let us know more about possible consequences?
Add the <filter>...</filter> AND the <filter-mapping>!!!
Peter
>
>
> On Wed, Feb 27, 2019 at 1:59 PM logo <lo...@kreuser.name> wrote:
>
>> Hello Nitin,
>>
>> Am 27.02.2019 08:52, schrieb Nitin Kadam:
>> > Hello,
>> >
>> >
>> >
>> > How can i change “Cache Control -private: to “Cache-Control: nostore”
>> >
>> > i searched and found that need to add express filters in web config but
>> > not
>> > sure on where to add in filters.
>> >
>> > can you please guide me on same?
>> >
>>
>> as far as I can tell, that Header is already set by your application -
>> Tomcat will not set it by default. Not to "private" for sure.
>> So it may be necessary to change that in your config, maybe even code.
>>
>> Usually you would have to implement a CacheControl filter like the one
>> mentioned here at stackoverflow
>> https://stackoverflow.com/questions/2876250/tomcat-cache-control
>>
>> I don't know if the new ExpiresFilter will let you set the
>> Cache-Control-Header to that necessary value (other than max-age=0).
>>
>> From my experience and the long history of many different browsers
>> using
>> different headers, the one header will maybe solve a vulnscan issue
>> but
>> not the compatibility with "all" browsers.
>>
>> Peter
>>
>>
>> >
>> > On Wed, Feb 20, 2019 at 3:28 AM Peter@Kreuser-Online
>> > <lo...@kreuser.name>
>> > wrote:
>> >
>> >> Hi Nitin,
>> >>
>> >> Per se this can be done by enabling the
>> >> org.apache.catalina.filters.HttpHeaderSecurityFilter
>> >> in the global or your webapp‘s web.xml
>> >>
>> >> For CSP you should write your own Filter.
>> >>
>> >> Beware though that Content Security Policy is nothing that can be
>> >> enabled
>> >> without application knowhow, the right settings for your needs and
>> >> intensive testing. You may really break inline Javascript in your
>> >> pages
>> >> (css too).
>> >>
>> >> Please check out the great websites of Scott Helme on the Headers
>> >> https://Securityheaders.io or
>> >> https://scotthelme.co.uk/csp-cheat-sheet/
>> >>
>> >>
>> >> Peter
>> >>
>> >> > Am 19.02.2019 um 19:13 schrieb Nitin Kadam <nitinkadam1982@gmail.com
>> >:
>> >> >
>> >> > Hello Team
>> >> >
>> >> > Need help to enable below security headers in Apache tomcat 7.0.79
>> >> > Operating system is windows 2012 R2
>> >> >
>> >> > 1. Content security headers
>> >> > 2. HSTS header
>> >> >
>> >> > Regards
>> >> > Nitin
>> >>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Http insecure headers
Posted by Nitin Kadam <ni...@gmail.com>.
Sorry for typo in earlier email, i was saying about ExpiresFilter only
so how do i add this filter and failter mapping , Do i need to add
both in existing <filter-name>httpHeaderSecurity</filter-name>
<filter>
<filter-name>ExpiresFilter</filter-name>
<filter-class>org.apache.catalina.filters.ExpiresFilter</filter-class>
<init-param>
<param-name>ExpiresByType image</param-name>
<param-value>access plus 10 days</param-value>
</init-param>
<init-param>
<param-name>ExpiresByType text/css</param-name>
<param-value>access plus 10 hours</param-value>
</init-param>
<init-param>
<param-name>ExpiresByType application/javascript</param-name>
<param-value>access plus 10 minutes</param-value>
</init-param>
<!-- Let everything else expire immediately -->
<init-param>
<param-name>ExpiresDefault</param-name>
<param-value>access plus 0 seconds</param-value>
</init-param></filter>
On Wed, Feb 27, 2019 at 1:59 PM logo <lo...@kreuser.name> wrote:
> Hello Nitin,
>
> Am 27.02.2019 08:52, schrieb Nitin Kadam:
> > Hello,
> >
> >
> >
> > How can i change “Cache Control -private: to “Cache-Control: nostore”
> >
> > i searched and found that need to add express filters in web config but
> > not
> > sure on where to add in filters.
> >
> > can you please guide me on same?
> >
>
> as far as I can tell, that Header is already set by your application -
> Tomcat will not set it by default. Not to "private" for sure.
> So it may be necessary to change that in your config, maybe even code.
>
> Usually you would have to implement a CacheControl filter like the one
> mentioned here at stackoverflow
> https://stackoverflow.com/questions/2876250/tomcat-cache-control
>
> I don't know if the new ExpiresFilter will let you set the
> Cache-Control-Header to that necessary value (other than max-age=0).
>
> From my experience and the long history of many different browsers using
> different headers, the one header will maybe solve a vulnscan issue but
> not the compatibility with "all" browsers.
>
> Peter
>
>
> >
> > On Wed, Feb 20, 2019 at 3:28 AM Peter@Kreuser-Online
> > <lo...@kreuser.name>
> > wrote:
> >
> >> Hi Nitin,
> >>
> >> Per se this can be done by enabling the
> >> org.apache.catalina.filters.HttpHeaderSecurityFilter
> >> in the global or your webapp‘s web.xml
> >>
> >> For CSP you should write your own Filter.
> >>
> >> Beware though that Content Security Policy is nothing that can be
> >> enabled
> >> without application knowhow, the right settings for your needs and
> >> intensive testing. You may really break inline Javascript in your
> >> pages
> >> (css too).
> >>
> >> Please check out the great websites of Scott Helme on the Headers
> >> https://Securityheaders.io or
> >> https://scotthelme.co.uk/csp-cheat-sheet/
> >>
> >>
> >> Peter
> >>
> >> > Am 19.02.2019 um 19:13 schrieb Nitin Kadam <nitinkadam1982@gmail.com
> >:
> >> >
> >> > Hello Team
> >> >
> >> > Need help to enable below security headers in Apache tomcat 7.0.79
> >> > Operating system is windows 2012 R2
> >> >
> >> > 1. Content security headers
> >> > 2. HSTS header
> >> >
> >> > Regards
> >> > Nitin
> >>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
--
Regards
Nitin Kadam
(9967688959)
Re: Http insecure headers
Posted by logo <lo...@kreuser.name>.
Hello Nitin,
Am 27.02.2019 08:52, schrieb Nitin Kadam:
> Hello,
>
>
>
> How can i change “Cache Control -private: to “Cache-Control: nostore”
>
> i searched and found that need to add express filters in web config but
> not
> sure on where to add in filters.
>
> can you please guide me on same?
>
as far as I can tell, that Header is already set by your application -
Tomcat will not set it by default. Not to "private" for sure.
So it may be necessary to change that in your config, maybe even code.
Usually you would have to implement a CacheControl filter like the one
mentioned here at stackoverflow
https://stackoverflow.com/questions/2876250/tomcat-cache-control
I don't know if the new ExpiresFilter will let you set the
Cache-Control-Header to that necessary value (other than max-age=0).
From my experience and the long history of many different browsers using
different headers, the one header will maybe solve a vulnscan issue but
not the compatibility with "all" browsers.
Peter
>
> On Wed, Feb 20, 2019 at 3:28 AM Peter@Kreuser-Online
> <lo...@kreuser.name>
> wrote:
>
>> Hi Nitin,
>>
>> Per se this can be done by enabling the
>> org.apache.catalina.filters.HttpHeaderSecurityFilter
>> in the global or your webapp‘s web.xml
>>
>> For CSP you should write your own Filter.
>>
>> Beware though that Content Security Policy is nothing that can be
>> enabled
>> without application knowhow, the right settings for your needs and
>> intensive testing. You may really break inline Javascript in your
>> pages
>> (css too).
>>
>> Please check out the great websites of Scott Helme on the Headers
>> https://Securityheaders.io or
>> https://scotthelme.co.uk/csp-cheat-sheet/
>>
>>
>> Peter
>>
>> > Am 19.02.2019 um 19:13 schrieb Nitin Kadam <ni...@gmail.com>:
>> >
>> > Hello Team
>> >
>> > Need help to enable below security headers in Apache tomcat 7.0.79
>> > Operating system is windows 2012 R2
>> >
>> > 1. Content security headers
>> > 2. HSTS header
>> >
>> > Regards
>> > Nitin
>>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Http insecure headers
Posted by Nitin Kadam <ni...@gmail.com>.
Hello,
How can i change “Cache Control -private: to “Cache-Control: nostore”
i searched and found that need to add express filters in web config but not
sure on where to add in filters.
can you please guide me on same?
On Wed, Feb 20, 2019 at 3:28 AM Peter@Kreuser-Online <lo...@kreuser.name>
wrote:
> Hi Nitin,
>
> Per se this can be done by enabling the
> org.apache.catalina.filters.HttpHeaderSecurityFilter
> in the global or your webapp‘s web.xml
>
> For CSP you should write your own Filter.
>
> Beware though that Content Security Policy is nothing that can be enabled
> without application knowhow, the right settings for your needs and
> intensive testing. You may really break inline Javascript in your pages
> (css too).
>
> Please check out the great websites of Scott Helme on the Headers
> https://Securityheaders.io or https://scotthelme.co.uk/csp-cheat-sheet/
>
>
> Peter
>
> > Am 19.02.2019 um 19:13 schrieb Nitin Kadam <ni...@gmail.com>:
> >
> > Hello Team
> >
> > Need help to enable below security headers in Apache tomcat 7.0.79
> > Operating system is windows 2012 R2
> >
> > 1. Content security headers
> > 2. HSTS header
> >
> > Regards
> > Nitin
>
--
Regards
Nitin Kadam
(9967688959)
Re: Http insecure headers
Posted by "Peter@Kreuser-Online" <lo...@kreuser.name>.
Hi Nitin,
Per se this can be done by enabling the org.apache.catalina.filters.HttpHeaderSecurityFilter
in the global or your webapp‘s web.xml
For CSP you should write your own Filter.
Beware though that Content Security Policy is nothing that can be enabled without application knowhow, the right settings for your needs and intensive testing. You may really break inline Javascript in your pages (css too).
Please check out the great websites of Scott Helme on the Headers
https://Securityheaders.io or https://scotthelme.co.uk/csp-cheat-sheet/
Peter
> Am 19.02.2019 um 19:13 schrieb Nitin Kadam <ni...@gmail.com>:
>
> Hello Team
>
> Need help to enable below security headers in Apache tomcat 7.0.79
> Operating system is windows 2012 R2
>
> 1. Content security headers
> 2. HSTS header
>
> Regards
> Nitin