tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Cheltenham, Chris" <ccheltenham-...@philasd.org>
Subject RE: security headers
Date Thu, 02 Nov 2017 12:55:49 GMT
Mr. Shultz,

I really appreciate your detailed answers.
Helps me out a lot.

I am now thinking big picture because my application does not require APR.

May I ask this , what exactly does APR give me for apache-tomcat?

I am thinking to scrap the whole APR install.

The reason I am trying to install it is because of my anal need to have 
clean logs.
I can’t stand any messages suggesting or recommending that I do this or 
that.
I have always tried to accommodate those recommendations.
However, in this case it may be the best to ignore the catalane log message 
saying that I should install APR.


===========================

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571

-----Original Message-----
From: Christopher Schultz [mailto:chris@christopherschultz.net]
Sent: Wednesday, November 1, 2017 4:04 PM
To: users@tomcat.apache.org
Subject: Re: security headers

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Alejandro,

On 11/1/17 3:37 PM, Alejandro Vargas M. wrote:
> Hello,
>
> I recently used on web.xml
>
> <filter> <filter-name>httpHeaderSecurity</filter-name>
> <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</fi
lter-class>
>
>  <async-supported>true</async-supported> </filter>
>
> <filter-mapping> <filter-name>httpHeaderSecurity</filter-name>
> <url-pattern>/*</url-pattern> </filter-mapping>
>
> to enable some security headers, but it won't enable Content Security
> Policy header. Is there anyway to enable Content Security Policy at
> top server level???

What were you expecting that Filter to generate for you? A header which 
disables everything? Not terribly useful.

My recommendation would be to use something like url-rewrite[1] to add 
headers to every outgoing response. url-rewrite has very similar 
capabilities to httpd's mod_headers (and much more, of course).

- -chris

[1] http://tuckey.org/urlrewrite/
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAln6KJkACgkQHPApP6U8
pFjuWRAAilRKahVEge71VBJrhragUyZuKR/uqEwfwpYj9Zq5DzI3I0JT6jwD8kwE
//iuxBgDroVH/Xedn9oiMen9u1wSpf4p4fCQY0xcP99l6QnlgReimEM7Aoi24hTc
WFgYlA2DVsKvmU0qjaI8HQoBrN+n8A+4Qhxu4fj5knNT1Sk1KppYDl/l6bkaI3Lc
oPAvbYJbR2OV9SwCBoKFNjEPZwK9kTZhAr74gbErS/OZHcQAynZjHPcYl4+2K6Uj
98T3VKu6NIif5g3ry6TA9YYe5Dn3DyqBkY6wlAI91gRn7KjESDcJPcCiYglYDHqP
37ZdcP6LPmySFlBaug5E9811lyKIHnkpv/0OTaFM3AH0sulazBvLu38Ea5yeZQFC
CofoYTMAY8KAlfwzKn+3RhTTQA8lmKHF/dVxQBRqP3vbN/+KU1KzqZmn2Q6KoYH+
Lf+gMJjeLE/0/8X9CnTaFPkmg7VbYgGmhGzgFkD85YTswT962L8M5evG1xdHaNiM
ZZDEeYLWC/Cjdqvht3zQ0gvmI35pI1q2K/fnYb+mrV0eIi/rcosz99GQVpTTqS58
wCtIAKLChLuxuWoGp0+1+sI0ugwn9RmsIft34QBM1Us/FxGYc0Ou5VpBHE0JeYG8
G8RjZ+9eonM5ScwPrAZKZ7pd6qfCHY24/OvK6vT4HbRdqJbvWT8=
=j1H+
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message