How to enable security filters in apache tomcat

To enable security filters in tomcat add below lines in tomcat_home/conf/web.xml


<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<async-supported>true</async-supported>

		<init-param>
		<param-name>antiClickJackingOption</param-name>
		<param-value>SAMEORIGIN</param-value>
		</init-param>

<!-- this option only works in tomcat 7.0.70 and above-->
		<init-param>
		<param-name>xssProtectionEnabled</param-name>
		<param-value>true</param-value>
		</init-param>
<!-- true represents 1; mode=block -->

</filter>

<filter-mapping>
        <filter-name>httpHeaderSecurity</filter-name>
        <url-pattern>/*</url-pattern>
</filter-mapping>

Note:

1.X-Frame-Options response header improves the protection of web applications againg Clickjacking.it is used to indicate whether or not a browser should be allowed to render a page in a frame, iframe or object.

DENY The page cannot be displayed in a frame, regardless of the site attempting to do so.
SAMEORIGIN The page can only be displayed in a frame on the same origin as the page itself.
ALLOW-FROM uri The page can only be displayed in a frame on the specified origin.

2.X-XSS-Protection enables the Cross-site scripting (XSS) filter in browser.
1; mode=block represents Filter enabled. Rather than sanitize the page, when a XSS attack is detected, the browser will prevent rendering of the page.

Note:For more details refer Open Web Application Security Project (OWASP) project
https://www.owasp.org/

 

Advertisements
This entry was posted in Java, Tomcat. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s