tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: security headers
Date Wed, 01 Nov 2017 20:03:37 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Alejandro,

On 11/1/17 3:37 PM, Alejandro Vargas M. wrote:
> Hello,
> 
> I recently used on web.xml
> 
> <filter> <filter-name>httpHeaderSecurity</filter-name> 
> <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</fi
lter-class>
>
>  <async-supported>true</async-supported> </filter>
> 
> <filter-mapping> <filter-name>httpHeaderSecurity</filter-name> 
> <url-pattern>/*</url-pattern> </filter-mapping>
> 
> to enable some security headers, but it won't enable Content
> Security Policy header. Is there anyway to enable Content Security
> Policy at top server level???

What were you expecting that Filter to generate for you? A header
which disables everything? Not terribly useful.

My recommendation would be to use something like url-rewrite[1] to add
headers to every outgoing response. url-rewrite has very similar
capabilities to httpd's mod_headers (and much more, of course).

- -chris

[1] http://tuckey.org/urlrewrite/
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAln6KJkACgkQHPApP6U8
pFjuWRAAilRKahVEge71VBJrhragUyZuKR/uqEwfwpYj9Zq5DzI3I0JT6jwD8kwE
//iuxBgDroVH/Xedn9oiMen9u1wSpf4p4fCQY0xcP99l6QnlgReimEM7Aoi24hTc
WFgYlA2DVsKvmU0qjaI8HQoBrN+n8A+4Qhxu4fj5knNT1Sk1KppYDl/l6bkaI3Lc
oPAvbYJbR2OV9SwCBoKFNjEPZwK9kTZhAr74gbErS/OZHcQAynZjHPcYl4+2K6Uj
98T3VKu6NIif5g3ry6TA9YYe5Dn3DyqBkY6wlAI91gRn7KjESDcJPcCiYglYDHqP
37ZdcP6LPmySFlBaug5E9811lyKIHnkpv/0OTaFM3AH0sulazBvLu38Ea5yeZQFC
CofoYTMAY8KAlfwzKn+3RhTTQA8lmKHF/dVxQBRqP3vbN/+KU1KzqZmn2Q6KoYH+
Lf+gMJjeLE/0/8X9CnTaFPkmg7VbYgGmhGzgFkD85YTswT962L8M5evG1xdHaNiM
ZZDEeYLWC/Cjdqvht3zQ0gvmI35pI1q2K/fnYb+mrV0eIi/rcosz99GQVpTTqS58
wCtIAKLChLuxuWoGp0+1+sI0ugwn9RmsIft34QBM1Us/FxGYc0Ou5VpBHE0JeYG8
G8RjZ+9eonM5ScwPrAZKZ7pd6qfCHY24/OvK6vT4HbRdqJbvWT8=
=j1H+
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message