tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Peter@Kreuser-Online" <l...@kreuser.name>
Subject Re: Http insecure headers
Date Tue, 05 Mar 2019 07:50:47 GMT
Nitin,

sorry for my late reply.


> Am 27.02.2019 um 17:01 schrieb Nitin Kadam <nitinkadam1982@gmail.com>:
> 
> Hello ,
> 
> We dint have any reverse proxy in middle layers and we have added filters in web.config
only, Please find attached snaps of same.
> i am new to tomcat so didnt able to understand all terms.
> 

Well your added filter will not help, if there is already code in place.
To find a possible configuration you may check on your webapp’s web.xml (located in the
WEB-INF directory). But that all depends on the webapp...
Is this application developed by you/your company or somebody else? You may need help from
the developer.

Best regards

Peter

>> On Wed, Feb 27, 2019 at 9:20 PM logo <logo@kreuser.name> wrote:
>>  
>> 
>> Hello Nitin, 
>> 
>> Am 27.02.2019 16:34, schrieb Nitin Kadam: 
>> 
>> > Hello Team, 
>> > 
>> > I have added below given filter and restarted tomcat service still it shows
Cache Control as private. 
>> > Please help me on same.
>> 
>> Pictures are stripped off the mailing list. so better send us text logs.
>> 
>> 
>> Nevertheless I told you before, the Cache-Control header may come from
>> your webapp. So you have to check the web.xml of the app for a possible
>> filter. Maybe it's also in the framework or the servlets itself. What is
>> happening if you request a resource from another context?
>> If it is set in the app, then possibly nothing in tomcat will be able to
>> remove it from the response (maybe a reverse proxy like apache or
>> nginx). 
>> 
>> Hope this helps. 
>> 
>> Peter 
>> 
>> > On Wed, Feb 27, 2019 at 2:54 PM logo <logo@kreuser.name> wrote: 
>> > 
>> >> Hi Nitin,
>> >> 
>> >> Am 27.02.2019 10:11, schrieb Nitin Kadam:
>> >>> Sorry for typo in earlier email, i was saying about ExpiresFilter only
>> >>> 
>> >>> so how do i add this filter and failter mapping , Do i need to add
>> >>> both in existing <filter-name>httpHeaderSecurity</filter-name>
>> >>> 
>> >>> 
>> >>> <filter>
>> >>> <filter-name>ExpiresFilter</filter-name>
>> >>> 
>> >>> <filter-class>org.apache.catalina.filters.ExpiresFilter</filter-class>
>> >>> <init-param>
>> >>> <param-name>ExpiresByType image</param-name>
>> >>> <param-value>access plus 10 days</param-value>
>> >>> </init-param>
>> >>> <init-param>
>> >>> <param-name>ExpiresByType text/css</param-name>
>> >>> <param-value>access plus 10 hours</param-value>
>> >>> </init-param>
>> >>> <init-param>
>> >>> <param-name>ExpiresByType application/javascript</param-name>
>> >>> <param-value>access plus 10 minutes</param-value>
>> >>> </init-param>
>> >>> <!-- Let everything else expire immediately -->
>> >>> <init-param>
>> >>> <param-name>ExpiresDefault</param-name>
>> >>> <param-value>access plus 0 seconds</param-value>
>> >>> </init-param></filter>
>> >> 
>> >> this is an extra entry. I don't know if you should really put this in 
>> >> the global web.xml or rather in your applications web.xml. Maybe Mark 
>> >> can let us know more about possible consequences?
>> >> 
>> >> Add the <filter>...</filter> AND the <filter-mapping>!!!
>> >> 
>> >> Peter
>> >> 
>> >>> 
>> >>> 
>> >>> On Wed, Feb 27, 2019 at 1:59 PM logo <logo@kreuser.name> wrote:
>> >>> 
>> >>>> Hello Nitin,
>> >>>> 
>> >>>> Am 27.02.2019 08:52, schrieb Nitin Kadam:
>> >>>>> Hello,
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>> How can i change "Cache Control -private: to "Cache-Control:
nostore"
>> >>>>>
>> >>>>> i searched and found that need to add express filters in web
config but
>> >>>>> not
>> >>>>> sure on where to add in filters.
>> >>>>>
>> >>>>> can you please guide me on same?
>> >>>>>
>> >>>> 
>> >>>> as far as I can tell, that Header is already set by your application
-
>> >>>> Tomcat will not set it by default. Not to "private" for sure.
>> >>>> So it may be necessary to change that in your config, maybe even
code.
>> >>>> 
>> >>>> Usually you would have to implement a CacheControl filter like the
one
>> >>>> mentioned here at stackoverflow
>> >>>> https://stackoverflow.com/questions/2876250/tomcat-cache-control
[1]
>> >>>> 
>> >>>> I don't know if the new ExpiresFilter will let you set the
>> >>>> Cache-Control-Header to that necessary value (other than max-age=0).
>> >>>> 
>> >>>> From my experience and the long history of many different browsers

>> >>>> using
>> >>>> different headers, the one header will maybe solve a vulnscan issue

>> >>>> but
>> >>>> not the compatibility with "all" browsers.
>> >>>> 
>> >>>> Peter
>> >>>> 
>> >>>> 
>> >>>>>
>> >>>>> On Wed, Feb 20, 2019 at 3:28 AM Peter@Kreuser-Online
>> >>>>> <logo@kreuser.name>
>> >>>>> wrote:
>> >>>>>
>> >>>>>> Hi Nitin,
>> >>>>>>
>> >>>>>> Per se this can be done by enabling the
>> >>>>>> org.apache.catalina.filters.HttpHeaderSecurityFilter
>> >>>>>> in the global or your webapp's web.xml
>> >>>>>>
>> >>>>>> For CSP you should write your own Filter.
>> >>>>>>
>> >>>>>> Beware though that Content Security Policy is nothing that
can be
>> >>>>>> enabled
>> >>>>>> without application knowhow, the right settings for your
needs and
>> >>>>>> intensive testing. You may really break inline Javascript
in your
>> >>>>>> pages
>> >>>>>> (css too).
>> >>>>>>
>> >>>>>> Please check out the great websites of Scott Helme on the
Headers
>> >>>>>> https://Securityheaders.io [2] or
>> >>>>>> https://scotthelme.co.uk/csp-cheat-sheet/ [3]
>> >>>>>>
>> >>>>>>
>> >>>>>> Peter
>> >>>>>>
>> >>>>>> > Am 19.02.2019 um 19:13 schrieb Nitin Kadam <nitinkadam1982@gmail.com
>> >>>>>:
>> >>>>>> >
>> >>>>>> > Hello Team
>> >>>>>> >
>> >>>>>> > Need help to enable below security headers in Apache
tomcat 7.0.79
>> >>>>>> > Operating system is windows 2012 R2
>> >>>>>> >
>> >>>>>> > 1. Content security headers
>> >>>>>> > 2. HSTS header
>> >>>>>> >
>> >>>>>> > Regards
>> >>>>>> > Nitin
>> >>>>>>
>> >>>> 
>> >>>> ---------------------------------------------------------------------
>> >>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> >>>> For additional commands, e-mail: users-help@tomcat.apache.org
>> >>>> 
>> >>>> 
>> >> 
>> >> ---------------------------------------------------------------------
>> >> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> >> For additional commands, e-mail: users-help@tomcat.apache.org
>> > 
>> > -- 
>> > 
>> > Regards
>> > Nitin Kadam
>> > (9967688959)
>> 
>> 
>> 
>> Links:
>> ------
>> [1] https://stackoverflow.com/questions/2876250/tomcat-cache-control
>> [2] https://Securityheaders.io
>> [3] https://scotthelme.co.uk/csp-cheat-sheet/
> 
> 
> -- 
> Regards
> Nitin Kadam
> (9967688959)
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org

Mime
  • Unnamed multipart/alternative (inline, 7-Bit, 0 bytes)
View raw message