You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Dustin Delage <dd...@sagecomputing.com> on 2016/11/14 21:11:32 UTC
Tomcat 9 How do you set httpHeaderSecurity properly
Trying to enable some header filters in web.xml and NOT having any luck. I
pretty much had to guess how to do this and my config looks like this:
<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter
-class>
<init-param>
<param-name>blockContentTypeSniffingEnabled</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>antiClickJackingEnabled</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>antiClickJackingOption</param-name>
<param-value>SAMEORIGIN</param-value>
</init-param>
<init-param>
<param-name>xssProtectionEnabled</param-name>
<param-value>true</param-value>
</init-param>
<async-supported>true</async-supported>
</filter>
Thank You,
Dustin Delage
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Tomcat 9 How do you set httpHeaderSecurity properly
Posted by Dustin Delage <dd...@sagecomputing.com>.
Thanks
-----Original Message-----
From: Mark Thomas [mailto:markt@apache.org]
Sent: Monday, November 14, 2016 4:38 PM
To: Tomcat Users List <us...@tomcat.apache.org>
Subject: Re: Tomcat 9 How do you set httpHeaderSecurity properly
On 14/11/2016 21:32, Dustin Delage wrote:
> What's this filter mapping you speak of?
https://java.net/downloads/servlet-spec/Final/servlet-3_1-final.pdf
The Tomcat docs (and to a lesser extent this list) assume users of Tomcat
are familiar with the Servlet specification.
While it appears you need to read all of that document fairly soon, chapter
6 should answer your immediate questions.
Mark
>
> -----Original Message-----
> From: Mark Thomas [mailto:markt@apache.org]
> Sent: Monday, November 14, 2016 4:16 PM
> To: Tomcat Users List <us...@tomcat.apache.org>
> Subject: Re: Tomcat 9 How do you set httpHeaderSecurity properly
>
> On 14/11/2016 21:11, Dustin Delage wrote:
>> Trying to enable some header filters in web.xml and NOT having any
>> luck. I pretty much had to guess how to do this and my config looks
>> like
>> this:
>>
>> <filter>
>> <filter-name>httpHeaderSecurity</filter-name>
>>
>> <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</f
>> i
>> lter
>> -class>
>> <init-param>
>>
>> <param-name>blockContentTypeSniffingEnabled</param-name>
>> <param-value>true</param-value>
>> </init-param>
> Not necessary - that is the default.
>
>
>> <init-param>
>>
>> <param-name>antiClickJackingEnabled</param-name>
>> <param-value>true</param-value>
>> </init-param>
> Not necessary - that is the default.
>
>
>> <init-param>
>>
>> <param-name>antiClickJackingOption</param-name>
>> <param-value>SAMEORIGIN</param-value>
>> </init-param>
> This one you will need.
>
>
>> <init-param>
>>
>> <param-name>xssProtectionEnabled</param-name>
>> <param-value>true</param-value>
>> </init-param>
>> <async-supported>true</async-supported>
> Not necessary - that is the default.
>
>
>> </filter>
>
> And the filter mapping?
>
> Mark
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Tomcat 9 How do you set httpHeaderSecurity properly
Posted by Dustin Delage <dd...@sagecomputing.com>.
Works now, thanks.
-----Original Message-----
From: Mark Thomas [mailto:markt@apache.org]
Sent: Monday, November 14, 2016 4:38 PM
To: Tomcat Users List <us...@tomcat.apache.org>
Subject: Re: Tomcat 9 How do you set httpHeaderSecurity properly
On 14/11/2016 21:32, Dustin Delage wrote:
> What's this filter mapping you speak of?
https://java.net/downloads/servlet-spec/Final/servlet-3_1-final.pdf
The Tomcat docs (and to a lesser extent this list) assume users of Tomcat
are familiar with the Servlet specification.
While it appears you need to read all of that document fairly soon, chapter
6 should answer your immediate questions.
Mark
>
> -----Original Message-----
> From: Mark Thomas [mailto:markt@apache.org]
> Sent: Monday, November 14, 2016 4:16 PM
> To: Tomcat Users List <us...@tomcat.apache.org>
> Subject: Re: Tomcat 9 How do you set httpHeaderSecurity properly
>
> On 14/11/2016 21:11, Dustin Delage wrote:
>> Trying to enable some header filters in web.xml and NOT having any
>> luck. I pretty much had to guess how to do this and my config looks
>> like
>> this:
>>
>> <filter>
>> <filter-name>httpHeaderSecurity</filter-name>
>>
>> <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</f
>> i
>> lter
>> -class>
>> <init-param>
>>
>> <param-name>blockContentTypeSniffingEnabled</param-name>
>> <param-value>true</param-value>
>> </init-param>
> Not necessary - that is the default.
>
>
>> <init-param>
>>
>> <param-name>antiClickJackingEnabled</param-name>
>> <param-value>true</param-value>
>> </init-param>
> Not necessary - that is the default.
>
>
>> <init-param>
>>
>> <param-name>antiClickJackingOption</param-name>
>> <param-value>SAMEORIGIN</param-value>
>> </init-param>
> This one you will need.
>
>
>> <init-param>
>>
>> <param-name>xssProtectionEnabled</param-name>
>> <param-value>true</param-value>
>> </init-param>
>> <async-supported>true</async-supported>
> Not necessary - that is the default.
>
>
>> </filter>
>
> And the filter mapping?
>
> Mark
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat 9 How do you set httpHeaderSecurity properly
Posted by Mark Thomas <ma...@apache.org>.
On 14/11/2016 21:32, Dustin Delage wrote:
> What's this filter mapping you speak of?
https://java.net/downloads/servlet-spec/Final/servlet-3_1-final.pdf
The Tomcat docs (and to a lesser extent this list) assume users of
Tomcat are familiar with the Servlet specification.
While it appears you need to read all of that document fairly soon,
chapter 6 should answer your immediate questions.
Mark
>
> -----Original Message-----
> From: Mark Thomas [mailto:markt@apache.org]
> Sent: Monday, November 14, 2016 4:16 PM
> To: Tomcat Users List <us...@tomcat.apache.org>
> Subject: Re: Tomcat 9 How do you set httpHeaderSecurity properly
>
> On 14/11/2016 21:11, Dustin Delage wrote:
>> Trying to enable some header filters in web.xml and NOT having any
>> luck. I pretty much had to guess how to do this and my config looks like
>> this:
>>
>> <filter>
>> <filter-name>httpHeaderSecurity</filter-name>
>>
>> <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</fi
>> lter
>> -class>
>> <init-param>
>>
>> <param-name>blockContentTypeSniffingEnabled</param-name>
>> <param-value>true</param-value>
>> </init-param>
> Not necessary - that is the default.
>
>
>> <init-param>
>>
>> <param-name>antiClickJackingEnabled</param-name>
>> <param-value>true</param-value>
>> </init-param>
> Not necessary - that is the default.
>
>
>> <init-param>
>>
>> <param-name>antiClickJackingOption</param-name>
>> <param-value>SAMEORIGIN</param-value>
>> </init-param>
> This one you will need.
>
>
>> <init-param>
>>
>> <param-name>xssProtectionEnabled</param-name>
>> <param-value>true</param-value>
>> </init-param>
>> <async-supported>true</async-supported>
> Not necessary - that is the default.
>
>
>> </filter>
>
> And the filter mapping?
>
> Mark
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Tomcat 9 How do you set httpHeaderSecurity properly
Posted by Dustin Delage <dd...@sagecomputing.com>.
What's this filter mapping you speak of?
-----Original Message-----
From: Mark Thomas [mailto:markt@apache.org]
Sent: Monday, November 14, 2016 4:16 PM
To: Tomcat Users List <us...@tomcat.apache.org>
Subject: Re: Tomcat 9 How do you set httpHeaderSecurity properly
On 14/11/2016 21:11, Dustin Delage wrote:
> Trying to enable some header filters in web.xml and NOT having any
> luck. I pretty much had to guess how to do this and my config looks like
> this:
>
> <filter>
> <filter-name>httpHeaderSecurity</filter-name>
>
> <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</fi
> lter
> -class>
> <init-param>
>
> <param-name>blockContentTypeSniffingEnabled</param-name>
> <param-value>true</param-value>
> </init-param>
Not necessary - that is the default.
> <init-param>
>
> <param-name>antiClickJackingEnabled</param-name>
> <param-value>true</param-value>
> </init-param>
Not necessary - that is the default.
> <init-param>
>
> <param-name>antiClickJackingOption</param-name>
> <param-value>SAMEORIGIN</param-value>
> </init-param>
This one you will need.
> <init-param>
>
> <param-name>xssProtectionEnabled</param-name>
> <param-value>true</param-value>
> </init-param>
> <async-supported>true</async-supported>
Not necessary - that is the default.
> </filter>
And the filter mapping?
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat 9 How do you set httpHeaderSecurity properly
Posted by Mark Thomas <ma...@apache.org>.
On 14/11/2016 21:11, Dustin Delage wrote:
> Trying to enable some header filters in web.xml and NOT having any luck. I
> pretty much had to guess how to do this and my config looks like this:
>
> <filter>
> <filter-name>httpHeaderSecurity</filter-name>
>
> <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter
> -class>
> <init-param>
>
> <param-name>blockContentTypeSniffingEnabled</param-name>
> <param-value>true</param-value>
> </init-param>
Not necessary - that is the default.
> <init-param>
>
> <param-name>antiClickJackingEnabled</param-name>
> <param-value>true</param-value>
> </init-param>
Not necessary - that is the default.
> <init-param>
>
> <param-name>antiClickJackingOption</param-name>
> <param-value>SAMEORIGIN</param-value>
> </init-param>
This one you will need.
> <init-param>
>
> <param-name>xssProtectionEnabled</param-name>
> <param-value>true</param-value>
> </init-param>
> <async-supported>true</async-supported>
Not necessary - that is the default.
> </filter>
And the filter mapping?
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org