How to enable security filters in apache tomcat

To enable security filters in tomcat add below lines in tomcat_home/conf/web.xml


<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<async-supported>true</async-supported>

		<init-param>
		<param-name>antiClickJackingOption</param-name>
		<param-value>SAMEORIGIN</param-value>
		</init-param>

<!-- this option only works in tomcat 7.0.70 and above-->
		<init-param>
		<param-name>xssProtectionEnabled</param-name>
		<param-value>true</param-value>
		</init-param>
<!-- true represents 1; mode=block -->

</filter>

<filter-mapping>
        <filter-name>httpHeaderSecurity</filter-name>
        <url-pattern>/*</url-pattern>
</filter-mapping>

Note:

1.X-Frame-Options response header improves the protection of web applications againg Clickjacking.it is used to indicate whether or not a browser should be allowed to render a page in a frame, iframe or object.

DENY The page cannot be displayed in a frame, regardless of the site attempting to do so.
SAMEORIGIN The page can only be displayed in a frame on the same origin as the page itself.
ALLOW-FROM uri The page can only be displayed in a frame on the specified origin.

2.X-XSS-Protection enables the Cross-site scripting (XSS) filter in browser.
1; mode=block represents Filter enabled. Rather than sanitize the page, when a XSS attack is detected, the browser will prevent rendering of the page.

Note:For more details refer Open Web Application Security Project (OWASP) project
https://www.owasp.org/

 

Advertisements
This entry was posted in Java, Tomcat. Bookmark the permalink.

5 Responses to How to enable security filters in apache tomcat

  1. Gary says:

    Can these filters be enabled for a specific site on a tomcat server or are they server wide?

    Like

  2. abc says:

    Hello,

    I am using acunetix web vulnerability scanner to identify vulnerability. When I ran that scanner it gave Cross site scripting (content-sniffing) vulnerability. I have added following tag but after adding tags I am still getting Cross site scripting (content-sniffing) vulnerability.

    xssProtectionEnabled
    true

    Tomcat version is 9.0.0.M17.

    What should I do next? is there anything I am missing?

    Like

    • vijaykumar says:

      can you see below response Headers
      X-Frame-Options: SAMEORIGIN
      X-Content-Type-Options: nosniff
      X-XSS-Protection: 1; mode=block

      Like

      • vijaykumar says:

        i Have added the below configuration in Tomcat version is 9.0.0.M17 web.xml file and can see below headers
        X-Frame-Options: SAMEORIGIN
        X-Content-Type-Options: nosniff
        X-XSS-Protection: 1; mode=block

        httpHeaderSecurity
        org.apache.catalina.filters.HttpHeaderSecurityFilter
        true

        antiClickJackingOption
        SAMEORIGIN

        xssProtectionEnabled
        true

        httpHeaderSecurity
        /*

        Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s