Return-Path: <users-return-263116-archive-asf-public=cust-asf.ponee.io@tomcat.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id 447EC200D2B
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Thu,  2 Nov 2017 14:39:24 +0100 (CET)
Received: by cust-asf.ponee.io (Postfix)
	id 430C2160BE5; Thu,  2 Nov 2017 13:39:24 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id 615DB1609EE
	for <archive-asf-public@cust-asf.ponee.io>; Thu,  2 Nov 2017 14:39:23 +0100 (CET)
Received: (qmail 18237 invoked by uid 500); 2 Nov 2017 13:39:21 -0000
Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:users-help@tomcat.apache.org>
List-Unsubscribe: <mailto:users-unsubscribe@tomcat.apache.org>
List-Post: <mailto:users@tomcat.apache.org>
List-Id: <users.tomcat.apache.org>
Reply-To: "Tomcat Users List" <users@tomcat.apache.org>
Delivered-To: mailing list users@tomcat.apache.org
Received: (qmail 18216 invoked by uid 99); 2 Nov 2017 13:39:21 -0000
Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 02 Nov 2017 13:39:21 +0000
Received: from localhost (localhost [127.0.0.1])
	by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id E51AB1808F8
	for <users@tomcat.apache.org>; Thu,  2 Nov 2017 13:39:20 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: 0.798
X-Spam-Level: 
X-Spam-Status: No, score=0.798 tagged_above=-999 required=6.31
	tests=[KAM_ASCII_DIVIDERS=0.8, RP_MATCHES_RCVD=-0.001,
	SPF_PASS=-0.001] autolearn=disabled
Received: from mx1-lw-us.apache.org ([10.40.0.8])
	by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024)
	with ESMTP id KJa6DkjDigy0 for <users@tomcat.apache.org>;
	Thu,  2 Nov 2017 13:39:18 +0000 (UTC)
Received: from mx4.philasd.org (mx4.philasd.org [170.235.1.167])
	by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTP id 984D25FAF3
	for <users@tomcat.apache.org>; Thu,  2 Nov 2017 13:39:18 +0000 (UTC)
IronPort-PHdr: =?us-ascii?q?9a23=3AobZnpxEZlsrEbBpkFocusp1GYnF86YWxBRYc798d?=
 =?us-ascii?q?s5kLTJ7zrsSwAkXT6L1XgUPTWs2DsrQf2rqQ6/iocFdDyK7JiGoFfp1IWk1Nou?=
 =?us-ascii?q?QttCtkPvS4D1bmJuXhdS0wEZcKflZk+3amLRodQ56mNBXdrXKo8DEdBAj0OxZr?=
 =?us-ascii?q?KeTpAI7SiNm82/yv95HJbQhFgDmwbaluIBmqsA7cqtQYjYx+J6gr1xDHuGFIe+?=
 =?us-ascii?q?NYxWNpIVKcgRPx7dqu8ZBg7ipdpesv+9ZPXqvmcas4S6dYDCk9PGAu+MLrrxjD?=
 =?us-ascii?q?QhCR6XYaT24bjwBHAwnB7BH9Q5fxri73vfdz1SWGIcH7S60/VC+85Kl3VhDnlC?=
 =?us-ascii?q?YHNyY48G7JjMxwkLlbqw+lqxBm3oLYfJ2ZOP94c6jAf90VWHBBU95RWSJfDIOz?=
 =?us-ascii?q?bZYBAeQCM+lXs4bzoFwArQe/BQejH+7v1iZIhnDq0aEkz+gsEwfL1xEgEdIUt3?=
 =?us-ascii?q?TUqc34OKkMXOC10qbIySnDYO1Q2Tf98ofIdwgtquySULJwa8rRyFIvGw3YhViX?=
 =?us-ascii?q?tYPqIzOV2foJs2iH8eVgU+KvhHQiqw1ovDeuydssh5LRhoIVy1DE8T92wJ0oKt?=
 =?us-ascii?q?GiT057e9GkHYJWuiqHNIV2WtsvT3xqtSom0LEKp5C2cSgQxJg63RLTdviKfouQ?=
 =?us-ascii?q?7h7+VuudPS10iGxrdb+/nRq+7FKsxvD/W8SwyFpGsyhInsXWunwT2RHe6tKLRu?=
 =?us-ascii?q?Zn8ku/xzqC2Qbe4fxeL08uj6rUMZshz6Y1lpoUrEvMADf7mF7zjK+KbkUk/fWo?=
 =?us-ascii?q?6/j/brXmuJCcM4h0hxn7MqQygMOzHeQ1PhIWX2ib+OS80Kfs/VbkT7lQif02iK?=
 =?us-ascii?q?bZvIjbJcQduKG5HxdY3psh5hqjFTuqztoVkHkdIF5YYh6LkozkNlLWLPD9F/i/?=
 =?us-ascii?q?glCskDlxx/DBO73sGonCIWTDkLj/ebZ991BTyAwzzd9F4pJYE68OIf3vWkLqrN?=
 =?us-ascii?q?zYDh45MwiuzOb8FdpxzIQeWXiAAqOBKqPdrUeI5v4zI+mLfIIVpS39JOY/5/71?=
 =?us-ascii?q?lnI5hVgdfay10pQNdHC0BO5pI12DbnXwgtcOD30Gvg0kTOzl2xW+VmsZW3G3VK?=
 =?us-ascii?q?sgrgwgBZi9RaPCXZznyOicxyqhBbVKYWVNA0zKGG/hfIWJHfAWZ3TBDNVml2lO?=
 =?us-ascii?q?frisT5Ms0xGnsUuy4Lp9L/GesnkTvpLu0MR44e3akFQ/5SBcF8Sc12iWQydzhG?=
 =?us-ascii?q?xeFGx+57x2vUEokgTL6qN/mfENUIULv/4=3D?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A2FrAADgHvtZmMYB66pZAxoBAQEBAgEBA?=
 =?us-ascii?q?QEIAQEBAYQYbicHg3aKH3SOJ4F8lkWCESIHgWKDOgKETj8YAQEBAQEBAQEBAQI?=
 =?us-ascii?q?QAQEBAQEICwsGKC+COCQBDUYsAQEBAQEBAQEBIwEBAQEBASMCDTcmAQEBAQIBC?=
 =?us-ascii?q?AIZBSYwBwEDAgEIEQQBAQECAiMDAgIZGBUJCAIECAcEAQoFCgECBIl6CAWoeoF?=
 =?us-ascii?q?vOIsXAQEBBwEBAQEBASKBD4IfggeBVIQFGEA1gyKBWR0aJoJOgmIFiiaHOI9dT?=
 =?us-ascii?q?AYCh2SHTYd7QpA+jGFziXkCH4IlgQeDNQlBghERDIIDWwiMKgGBEAEBAQ?=
X-IPAS-Result: =?us-ascii?q?A2FrAADgHvtZmMYB66pZAxoBAQEBAgEBAQEIAQEBAYQYbic?=
 =?us-ascii?q?Hg3aKH3SOJ4F8lkWCESIHgWKDOgKETj8YAQEBAQEBAQEBAQIQAQEBAQEICwsGK?=
 =?us-ascii?q?C+COCQBDUYsAQEBAQEBAQEBIwEBAQEBASMCDTcmAQEBAQIBCAIZBSYwBwEDAgE?=
 =?us-ascii?q?IEQQBAQECAiMDAgIZGBUJCAIECAcEAQoFCgECBIl6CAWoeoFvOIsXAQEBBwEBA?=
 =?us-ascii?q?QEBASKBD4IfggeBVIQFGEA1gyKBWR0aJoJOgmIFiiaHOI9dTAYCh2SHTYd7QpA?=
 =?us-ascii?q?+jGFziXkCH4IlgQeDNQlBghERDIIDWwiMKgGBEAEBAQ?=
X-IronPort-AV: E=Sophos;i="5.44,334,1505793600";
   d="scan'208";a="5937217"
Received: from mta05.philasd.org ([170.235.1.198])
  by mx4.philasd.org with ESMTP; 02 Nov 2017 09:34:10 -0400
Received: from mta05.philasd.org (localhost [127.0.0.1])
	by mta05.philasd.org (Postfix) with ESMTPS id E396E1205B1
	for <users@tomcat.apache.org>; Thu,  2 Nov 2017 09:39:17 -0400 (EDT)
Received: from localhost (localhost [127.0.0.1])
	by mta05.philasd.org (Postfix) with ESMTP id D66B01205B0
	for <users@tomcat.apache.org>; Thu,  2 Nov 2017 09:39:17 -0400 (EDT)
X-Virus-Scanned: amavisd-new at mta05.philasd.org
Received: from mta05.philasd.org ([127.0.0.1])
	by localhost (mta05.philasd.org [127.0.0.1]) (amavisd-new, port 10026)
	with ESMTP id xMkeZGkV7juE for <users@tomcat.apache.org>;
	Thu,  2 Nov 2017 09:39:17 -0400 (EDT)
Received: from mail02.philasd.org (unknown [170.235.1.223])
	by mta05.philasd.org (Postfix) with ESMTP id BF3381205B1
	for <users@tomcat.apache.org>; Thu,  2 Nov 2017 09:39:17 -0400 (EDT)
From: "Cheltenham, Chris" <ccheltenham-ext@philasd.org>
To: "Tomcat Users List" <users@tomcat.apache.org>
References: <89de0a95-f7ff-cbc3-6e65-aca3b25ade9e@kymsolutions.com> <da3e0623-d1fc-be2a-9a90-3afa590fa851@christopherschultz.net> <002c01d353d9$e8978890$b9c699b0$@philasd.org> <59FB1F32.3090609@ice-sa.com>
In-Reply-To: <59FB1F32.3090609@ice-sa.com>
Subject: RE: security headers
Thread-Topic: security headers
Date: Thu, 2 Nov 2017 09:39:17 -0400 (EDT)
Message-ID: <002e01d353df$fb04e210$f10ea630$@philasd.org>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="utf-8"
X-Mailer: Microsoft Outlook 16.0
X-Mailer: Zimbra 8.6.0_GA_1194 (Zimbra-ZCO/8.7.1.1661 (10.0.10586  en-US) P1fd8 T1688 R414)
Thread-Index: AQKqo4o94adrupAKs8NC2j0nN7T67QD+1hzaAxI92XEBnswWwqEk+c1w
Content-Language: en-us
X-Originating-IP: [170.235.1.189]
Content-Transfer-Encoding: quoted-printable
archived-at: Thu, 02 Nov 2017 13:39:24 -0000

Yes that was the wrong thread but thank you.


=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571


-----Original Message-----
From: Andr=C3=A9 Warnier (tomcat) [mailto:aw@ice-sa.com]
Sent: Thursday, November 2, 2017 9:36 AM
To: users@tomcat.apache.org
Subject: Re: security headers

You seem to be responding on the wrong thread, but here are some answers=20
anyway (will save Christopher some typing)

On 02.11.2017 13:55, Cheltenham, Chris wrote:
> Mr. Shultz,
>
> I really appreciate your detailed answers.
> Helps me out a lot.
>
> I am now thinking big picture because my application does not require=20
> APR..
>
> May I ask this , what exactly does APR give me for apache-tomcat?

APR stands for "Apache Portable Run-time".
Here is one explanation :

It is a software library, containing a series of functions which are ofte=
n=20
used by Apache Foundation programs of all kinds (not only tomcat),=20
particularly in what regards network interfaces and protocols.
The people who make this APR, make sure that it is available for many=20
platforms (Windows, Liux etc.), and that it is really optimised for each =
of=20
these different platforms.

To access the network, tomcat can do it in 2 different ways :
1) by using standard Java functions, which always work, but are not=20
particularly optimised for any platform or
2) if APR is available, then tomcat can use instead, some calls which exi=
st=20
in the APR library, and which may be more optimised fo the current platfo=
rm=20
on which it is running

When tomcat starts, it will check if APR is available. If yes, tomcat wil=
l=20
use it, because it is probably a bit faster than the Java alternative.
If APR is not available, tomcat will use the standard Java functions, whi=
ch=20
are maybe a bit slower.
And just to let you know that, it will print a friendly message to the lo=
g,=20
to let you know that maybe this is not the most optimal solution, in term=
s=20
of ultimate tomcat performance.  But this is just an informational messag=
e,=20
and you can decide to ignore it, and run tomcat anyway without APR (which=
=20
many people do, and most of the time they will not notice the difference)=
.

There is a secondary effect which needs to be considered when using SSL=20
(HTTPS) :
When tomcat finds and uses APR, it uses APR functions to access SSL socke=
ts.=20
And these APR functions rely on the underlying presence of SSL libraries=20
provided by another package, named OpenSSL. These OpenSSL libraries requi=
re=20
a particular format for the SSL keys and key stores.
When tomcat does not find APR, it will use the builtin Java functions for=
=20
SSL. And these builtin functions require another format for the SSL keys =
and=20
key stores.
So the parameters used in the <Connector> elements are a bit different in=
=20
each case.
This is well explained in the tomcat on-line documentation.

>
> I am thinking to scrap the whole APR install.
>
> The reason I am trying to install it is because of my anal need to
> have clean logs.

I won't even try to interpret this..

> I can=E2=80=99t stand any messages suggesting or recommending that I do=
 this
> or that.

They are just friendly messages, like the Amazon "other readers who have=20
purchased this book, have also liked this : ... "

> I have always tried to accommodate those recommendations.

Ah, ok. I thought you could not stand them ?

> However, in this case it may be the best to ignore the catalane log
> message saying that I should install APR.
>

catalane ? that's been quite a bit in the news lately. But we're quite=20
apolitical here, and so is tomcat usually.


>
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D
>
> Thank You;
>
> Chris Cheltenham
> Technology Services
> The School District of Philadelphia
>
> Work # 215-400-5025
> Cell # 215-301-6571
>
> -----Original Message-----
> From: Christopher Schultz [mailto:chris@christopherschultz.net]
> Sent: Wednesday, November 1, 2017 4:04 PM
> To: users@tomcat.apache.org
> Subject: Re: security headers
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Alejandro,
>
> On 11/1/17 3:37 PM, Alejandro Vargas M. wrote:
>> Hello,
>>
>> I recently used on web.xml
>>
>> <filter> <filter-name>httpHeaderSecurity</filter-name>
>> <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</fi
> lter-class>
>>
>>   <async-supported>true</async-supported> </filter>
>>
>> <filter-mapping> <filter-name>httpHeaderSecurity</filter-name>
>> <url-pattern>/*</url-pattern> </filter-mapping>
>>
>> to enable some security headers, but it won't enable Content Security
>> Policy header. Is there anyway to enable Content Security Policy at
>> top server level???
>
> What were you expecting that Filter to generate for you? A header which
> disables everything? Not terribly useful.
>
> My recommendation would be to use something like url-rewrite[1] to add
> headers to every outgoing response. url-rewrite has very similar
> capabilities to httpd's mod_headers (and much more, of course).
>
> - -chris
>
> [1] http://tuckey.org/urlrewrite/
> -----BEGIN PGP SIGNATURE-----
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAln6KJkACgkQHPApP6U8
> pFjuWRAAilRKahVEge71VBJrhragUyZuKR/uqEwfwpYj9Zq5DzI3I0JT6jwD8kwE
> //iuxBgDroVH/Xedn9oiMen9u1wSpf4p4fCQY0xcP99l6QnlgReimEM7Aoi24hTc
> WFgYlA2DVsKvmU0qjaI8HQoBrN+n8A+4Qhxu4fj5knNT1Sk1KppYDl/l6bkaI3Lc
> oPAvbYJbR2OV9SwCBoKFNjEPZwK9kTZhAr74gbErS/OZHcQAynZjHPcYl4+2K6Uj
> 98T3VKu6NIif5g3ry6TA9YYe5Dn3DyqBkY6wlAI91gRn7KjESDcJPcCiYglYDHqP
> 37ZdcP6LPmySFlBaug5E9811lyKIHnkpv/0OTaFM3AH0sulazBvLu38Ea5yeZQFC
> CofoYTMAY8KAlfwzKn+3RhTTQA8lmKHF/dVxQBRqP3vbN/+KU1KzqZmn2Q6KoYH+
> Lf+gMJjeLE/0/8X9CnTaFPkmg7VbYgGmhGzgFkD85YTswT962L8M5evG1xdHaNiM
> ZZDEeYLWC/Cjdqvht3zQ0gvmI35pI1q2K/fnYb+mrV0eIi/rcosz99GQVpTTqS58
> wCtIAKLChLuxuWoGp0+1+sI0ugwn9RmsIft34QBM1Us/FxGYc0Ou5VpBHE0JeYG8
> G8RjZ+9eonM5ScwPrAZKZ7pd6qfCHY24/OvK6vT4HbRdqJbvWT8=3D
> =3Dj1H+
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org