To enable security filters in tomcat add below lines in tomcat_home/conf/web.xml
<filter> <filter-name>httpHeaderSecurity</filter-name> <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class> <async-supported>true</async-supported> <init-param> <param-name>antiClickJackingOption</param-name> <param-value>SAMEORIGIN</param-value> </init-param> <!-- this option only works in tomcat 7.0.70 and above--> <init-param> <param-name>xssProtectionEnabled</param-name> <param-value>true</param-value> </init-param> <!-- true represents 1; mode=block --> </filter> <filter-mapping> <filter-name>httpHeaderSecurity</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
Note:
1.X-Frame-Options response header improves the protection of web applications againg Clickjacking.it is used to indicate whether or not a browser should be allowed to render a page in a frame, iframe or object.
DENY The page cannot be displayed in a frame, regardless of the site attempting to do so.
SAMEORIGIN The page can only be displayed in a frame on the same origin as the page itself.
ALLOW-FROM uri The page can only be displayed in a frame on the specified origin.
2.X-XSS-Protection enables the Cross-site scripting (XSS) filter in browser.
1; mode=block represents Filter enabled. Rather than sanitize the page, when a XSS attack is detected, the browser will prevent rendering of the page.
Note:For more details refer Open Web Application Security Project (OWASP) project
https://www.owasp.org/
Can these filters be enabled for a specific site on a tomcat server or are they server wide?
LikeLike
these filters can also be applied on specific site(web application),add the same configuration in web.xml
LikeLike
Hello,
I am using acunetix web vulnerability scanner to identify vulnerability. When I ran that scanner it gave Cross site scripting (content-sniffing) vulnerability. I have added following tag but after adding tags I am still getting Cross site scripting (content-sniffing) vulnerability.
xssProtectionEnabled
true
Tomcat version is 9.0.0.M17.
What should I do next? is there anything I am missing?
LikeLike
can you see below response Headers
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
LikeLike
i Have added the below configuration in Tomcat version is 9.0.0.M17 web.xml file and can see below headers
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
httpHeaderSecurity
org.apache.catalina.filters.HttpHeaderSecurityFilter
true
antiClickJackingOption
SAMEORIGIN
xssProtectionEnabled
true
httpHeaderSecurity
/*
LikeLike
Pingback: Custom HTTP Response Header | ShieldNow
How to enable Content Security Policy filters in apache tomcat
LikeLike
This web page is mostly a walk-by way of for all of the information you wanted about this and didn’t know who to ask. Glimpse here, and you’ll undoubtedly uncover it.
LikeLike
naturally like your web site but you need to check the spelling on quite a few of your posts. A number of them are rife with spelling issues and I find it very troublesome to tell the truth nevertheless I will certainly come back again.
LikeLike