[tomcat] branch 9.0.x updated: Add HTTP header security filter to manager, host manager and examples

markt Tue, 10 Nov 2020 02:22:19 -0800

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git



The following commit(s) were added to refs/heads/9.0.x by this push:
     new 6e232f8  Add HTTP header security filter to manager, host manager and 
examples
6e232f8 is described below

commit 6e232f825d53abe1406bc9a9b8add67743b3f35d
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Tue Nov 10 10:21:04 2020 +0000

    Add HTTP header security filter to manager, host manager and examples
---
 webapps/docs/changelog.xml           |  4 ++++
 webapps/examples/WEB-INF/web.xml     | 18 ++++++++++++++++++
 webapps/host-manager/WEB-INF/web.xml | 17 +++++++++++++++++
 webapps/manager/WEB-INF/web.xml      | 17 +++++++++++++++++
 4 files changed, 56 insertions(+)

diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 168806b..f22e1f1 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -180,6 +180,10 @@
         <code>SameSite=strict</code> for all cookies, including session 
cookies,
         created by the application. (markt)
       </add>
+      <add>
+        Configure the examples, Manager and Host Manager to use the HTTP header
+        security filter with default settings apart from no HSTS header. 
(markt)
+      </add>
     </changelog>
   </subsection>
   <subsection name="Other">
diff --git a/webapps/examples/WEB-INF/web.xml b/webapps/examples/WEB-INF/web.xml
index 8f86f5f..9e73861 100644
--- a/webapps/examples/WEB-INF/web.xml
+++ b/webapps/examples/WEB-INF/web.xml
@@ -65,6 +65,18 @@
         </init-param>
     </filter>
 
+    <!-- Configured to set X-FRAME-OPTIONS. Disable HSTS in case it          
-->
+    <!-- interferes with an existing setting. Keep X-Content-Type-Options    
-->
+    <!-- and X-XSS-Protection as they are page specific.                     
-->
+    <filter>
+        <filter-name>HTTP header security filter</filter-name>
+        
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
+        <init-param>
+            <param-name>hstsEnabled</param-name>
+            <param-value>false</param-value>
+        </init-param>
+    </filter>
+
     <!-- Define filter mappings for the timing filters -->
     <!--
     <filter-mapping>
@@ -87,6 +99,12 @@
     </filter-mapping>
 -->
 
+    <!-- Enable header security filter for all requests -->
+    <filter-mapping>
+        <filter-name>HTTP header security filter</filter-name>
+        <url-pattern>/*</url-pattern>
+    </filter-mapping>
+
     <!-- Define example application events listeners -->
     <listener>
         <listener-class>listeners.ContextListener</listener-class>
diff --git a/webapps/host-manager/WEB-INF/web.xml 
b/webapps/host-manager/WEB-INF/web.xml
index e9faa2c..54d7d4f 100644
--- a/webapps/host-manager/WEB-INF/web.xml
+++ b/webapps/host-manager/WEB-INF/web.xml
@@ -56,11 +56,28 @@
     </init-param>
   </filter>
 
+  <!-- Configured to set X-FRAME-OPTIONS. Disable HSTS in case it interferes 
-->
+  <!-- with an existing setting. Keep X-Content-Type-Options and             
-->
+  <!-- X-XSS-Protection as they are page specific.                           
-->
+  <filter>
+    <filter-name>HTTP header security filter</filter-name>
+    
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
+    <init-param>
+      <param-name>hstsEnabled</param-name>
+      <param-value>false</param-value>
+    </init-param>
+  </filter>
+
   <filter-mapping>
     <filter-name>CSRF</filter-name>
     <servlet-name>HTMLHostManager</servlet-name>
   </filter-mapping>
 
+  <filter-mapping>
+    <filter-name>HTTP header security filter</filter-name>
+    <url-pattern>/*</url-pattern>
+  </filter-mapping>
+
   <!-- Define the Manager Servlet Mapping -->
   <servlet-mapping>
     <servlet-name>HostManager</servlet-name>
diff --git a/webapps/manager/WEB-INF/web.xml b/webapps/manager/WEB-INF/web.xml
index e73aae0..ac70577 100644
--- a/webapps/manager/WEB-INF/web.xml
+++ b/webapps/manager/WEB-INF/web.xml
@@ -100,11 +100,28 @@
     </init-param>
   </filter>
 
+  <!-- Configured to set X-FRAME-OPTIONS. Disable HSTS in case it interferes 
-->
+  <!-- with an existing setting. Keep X-Content-Type-Options and             
-->
+  <!-- X-XSS-Protection as they are page specific.                           
-->
+  <filter>
+    <filter-name>HTTP header security filter</filter-name>
+    
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
+    <init-param>
+      <param-name>hstsEnabled</param-name>
+      <param-value>false</param-value>
+    </init-param>
+  </filter>
+
   <filter-mapping>
     <filter-name>CSRF</filter-name>
     <servlet-name>HTMLManager</servlet-name>
   </filter-mapping>
 
+  <filter-mapping>
+    <filter-name>HTTP header security filter</filter-name>
+    <url-pattern>/*</url-pattern>
+  </filter-mapping>
+
   <!-- Define a Security Constraint on this Application -->
   <!-- NOTE:  None of these roles are present in the default users file -->
   <security-constraint>


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[tomcat] branch 9.0.x updated: Add HTTP header security filter to manager, host manager and examples

Reply via email to