You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2015/05/16 11:37:27 UTC
svn commit: r1679716 - in /tomcat/trunk:
java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java
webapps/docs/config/filter.xml webapps/docs/security-howto.xml
Author: markt
Date: Sat May 16 09:37:26 2015
New Revision: 1679716
URL: http://svn.apache.org/r1679716
Log:
set the headers rather than add them
Add header names to the docs and make clear that any existing headers will be replaced.
Add the filter tot he security howto
Modified:
tomcat/trunk/java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java
tomcat/trunk/webapps/docs/config/filter.xml
tomcat/trunk/webapps/docs/security-howto.xml
Modified: tomcat/trunk/java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java?rev=1679716&r1=1679715&r2=1679716&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java (original)
+++ tomcat/trunk/java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java Sat May 16 09:37:26 2015
@@ -89,18 +89,18 @@ public class HttpHeaderSecurityFilter ex
// HSTS
if (hstsEnabled && request.isSecure() && response instanceof HttpServletResponse) {
- ((HttpServletResponse) response).addHeader(HSTS_HEADER_NAME, hstsHeaderValue);
+ ((HttpServletResponse) response).setHeader(HSTS_HEADER_NAME, hstsHeaderValue);
}
// anti click-jacking
if (antiClickJackingEnabled && response instanceof HttpServletResponse) {
- ((HttpServletResponse) response).addHeader(
+ ((HttpServletResponse) response).setHeader(
ANTI_CLICK_JACKING_HEADER_NAME, antiClickJackingHeaderValue);
}
// Block content type sniffing
if (blockContentTypeSniffingEnabled && response instanceof HttpServletResponse) {
- ((HttpServletResponse) response).addHeader(BLOCK_CONTENT_TYPE_SNIFFING_HEADER_NAME,
+ ((HttpServletResponse) response).setHeader(BLOCK_CONTENT_TYPE_SNIFFING_HEADER_NAME,
BLOCK_CONTENT_TYPE_SNIFFING_HEADER_VALUE);
}
chain.doFilter(request, response);
Modified: tomcat/trunk/webapps/docs/config/filter.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/filter.xml?rev=1679716&r1=1679715&r2=1679716&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/config/filter.xml (original)
+++ tomcat/trunk/webapps/docs/config/filter.xml Sat May 16 09:37:26 2015
@@ -724,9 +724,11 @@ FINE: Request "/docs/config/manager.html
<attributes>
<attribute name="hstsEnabled" required="false">
- <p>Will an HTTP Strict Transport Security (HSTS) header be added to the
- response. See <a href="http://tools.ietf.org/html/rfc6797">RFC 6797</a>
- for further details of HSTS. If not specified, the default value of
+ <p>Will an HTTP Strict Transport Security (HSTS) header
+ (<code>Strict-Transport-Security</code>) be set on the response for
+ secure requests. Any HSTS header already present will be replaced. See
+ <a href="http://tools.ietf.org/html/rfc6797">RFC 6797</a> for further
+ details of HSTS. If not specified, the default value of
<code>true</code> will be used.</p>
</attribute>
@@ -743,8 +745,9 @@ FINE: Request "/docs/config/manager.html
</attribute>
<attribute name="antiClickJackingEnabled" required="false">
- <p>Should the anti click-jacking <code>X-Frame-Options</code> be added
- to the response. If not specified, the default value of
+ <p>Should the anti click-jacking header (<code>X-Frame-Options</code>)
+ be set on the response. Any anti click-jacking header already present
+ will be replaced. If not specified, the default value of
<code>true</code> will be used.</p>
</attribute>
@@ -762,9 +765,10 @@ FINE: Request "/docs/config/manager.html
</attribute>
<attribute name="blockContentTypeSniffingEnabled" required="false">
- <p>Should the header that blocks content type sniffing be added to every
- response. If not specified, the default value of <code>true</code> will
- be used.</p>
+ <p>Should the header that blocks content type sniffing
+ (<code>X-Content-Type-Options</code>) be set on every response. If
+ already present, the header will be replaced. If not specified, the
+ default value of <code>true</code> will be used.</p>
</attribute>
</attributes>
Modified: tomcat/trunk/webapps/docs/security-howto.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/security-howto.xml?rev=1679716&r1=1679715&r2=1679716&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/security-howto.xml (original)
+++ tomcat/trunk/webapps/docs/security-howto.xml Sat May 16 09:37:26 2015
@@ -468,6 +468,13 @@
can be configured and used to reject requests that had errors during
request parameter parsing. Without the filter the default behaviour is
to ignore invalid or excessive parameters.</p>
+
+ <p><a href="config/filter.html">HttpHeaderSecurityFilter</a> can be
+ used to add headers to responses to improve security. If clients access
+ Tomcat directly, then you probably want to enable this filter and all the
+ headers it sets unless your application is already setting them. If Tomcat
+ is accessed via a reverse proxy, then the configuration of this filter needs
+ to be co-ordinated with any headers that the reverse proxy sets.</p>
</section>
<section name="General">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org