Author: markt
Date: Mon May 18 11:06:41 2015
New Revision: 1679988
URL: http://svn.apache.org/r1679988
Log:
Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=54618
Add a new HttpHeaderSecurityFilter that adds the Strict-Transport-Security,
X-Frame-Options and X-Content-Type-Options HTTP headers to the response
Added:
tomcat/tc8.0.x/trunk/java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java
- copied, changed from r1678339,
tomcat/trunk/java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java
Modified:
tomcat/tc8.0.x/trunk/ (props changed)
tomcat/tc8.0.x/trunk/conf/web.xml
tomcat/tc8.0.x/trunk/java/org/apache/catalina/filters/CorsFilter.java
tomcat/tc8.0.x/trunk/java/org/apache/catalina/filters/FilterBase.java
tomcat/tc8.0.x/trunk/java/org/apache/catalina/filters/LocalStrings.properties
tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml
tomcat/tc8.0.x/trunk/webapps/docs/config/filter.xml
tomcat/tc8.0.x/trunk/webapps/docs/security-howto.xml
Propchange: tomcat/tc8.0.x/trunk/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Mon May 18 11:06:41 2015
@@ -1 +1 @@
-/tomcat/trunk:1636524,1637156,1637176,1637188,1637331,1637684,1637695,1638720-1638725,1639653,1640010,1640083-1640084,1640088,1640275,1640322,1640347,1640361,1640365,1640403,1640410,1640652,1640655-1640658,1640688,1640700-1640883,1640903,1640976,1640978,1641000,1641026,1641038-1641039,1641051-1641052,1641058,1641064,1641300,1641369,1641374,1641380,1641486,1641634,1641656-1641692,1641704,1641707-1641718,1641720-1641722,1641735,1641981,1642233,1642280,1642554,1642564,1642595,1642606,1642668,1642679,1642697,1642699,1642766,1643002,1643045,1643054-1643055,1643066,1643121,1643128,1643206,1643209-1643210,1643216,1643249,1643270,1643283,1643309-1643310,1643323,1643365-1643366,1643370-1643371,1643465,1643474,1643536,1643570,1643634,1643649,1643651,1643654,1643675,1643731,1643733-1643734,1643761,1643766,1643814,1643937,1643963,1644017,1644169,1644201-1644203,1644321,1644323,1644516,1644523,1644529,1644535,1644730,1644768,1644784-1644785,1644790,1644793,1644815,1644884,1644886,1644890,1644892
,1644910,1644924,1644929-1644930,1644935,1644989,1645011,1645247,1645355,1645357-1645358,1645455,1645465,1645469,1645471,1645473,1645475,1645486-1645488,1645626,1645641,1645685,1645743,1645763,1645951-1645953,1645955,1645993,1646098-1646106,1646178,1646220,1646302,1646304,1646420,1646470-1646471,1646476,1646559,1646717-1646723,1646773,1647026,1647042,1647530,1647655,1648304,1648815,1648907,1650081,1650365,1651116,1651120,1651280,1651470,1652938,1652970,1653041,1653471,1653550,1653574,1653797,1653815-1653816,1653819,1653840,1653857,1653888,1653972,1654013,1654030,1654050,1654123,1654148,1654159,1654513,1654515,1654517,1654522,1654524,1654725,1654735,1654766,1654785,1654851-1654852,1654978,1655122-1655124,1655126-1655127,1655129-1655130,1655132-1655133,1655312,1655438,1655441,1655454,1655558,1656087,1656299,1656319,1656331,1656345,1656350,1656590,1656648-1656650,1656657,1657041,1657054,1657374,1657492,1657510,1657565,1657580,1657584,1657586,1657589,1657592,1657607,1657609,1657682,1657
907,1658207,1658734,1658781,1658790,1658799,1658802,1658804,1658833,1658840,1658966,1659043,1659053,1659059,1659188-1659189,1659216,1659263,1659293,1659304,1659306-1659307,1659382,1659384,1659428,1659471,1659486,1659505,1659516,1659521,1659524,1659559,1659562,1659803,1659806,1659814,1659833,1659862,1659905,1659919,1659948,1659967,1659983-1659984,1660060,1660074,1660077,1660133,1660168,1660331-1660332,1660353,1660358,1660924,1661386,1661867,1661972,1661990,1662200,1662308-1662309,1662548,1662614,1662736,1662985,1662988-1662989,1663264,1663277,1663298,1663534,1663562,1663676,1663715,1663754,1663768,1663772,1663781,1663893,1663995,1664143,1664163,1664174,1664301,1664317,1664347,1664657,1664659,1664710,1664863-1664864,1664866,1665085,1665292,1665559,1665653,1665661,1665672,1665694,1665697,1665736,1665779,1665976-1665977,1665980-1665981,1665985-1665986,1665989,1665998,1666004,1666008,1666013,1666017,1666024,1666116,1666386-1666387,1666494,1666496,1666552,1666569,1666579,1666637,1666649,1
666757,1666966,1666972,1666985,1666995,1666997,1667292,1667402,1667406,1667546,1667615,1667630,1667636,1667688,1667764,1667871,1668026,1668135,1668193,1668593,1668596,1668630,1668639,1668843,1669353,1669370,1669451,1669800,1669838,1669876,1669882,1670394,1670433,1670591,1670598-1670600,1670610,1670631,1670719,1670724,1670726,1670730,1670940,1671112,1672272,1672284,1673754,1674294,1675461,1675486,1675594,1675830,1676231,1676250-1676251,1676364,1676381,1676393,1676479,1676525,1676552,1676615,1676630,1676634,1676721,1676926,1676943,1677140,1677802,1678011,1678162,1678174,1678701,1679534
+/tomcat/trunk:1636524,1637156,1637176,1637188,1637331,1637684,1637695,1638720-1638725,1639653,1640010,1640083-1640084,1640088,1640275,1640322,1640347,1640361,1640365,1640403,1640410,1640652,1640655-1640658,1640688,1640700-1640883,1640903,1640976,1640978,1641000,1641026,1641038-1641039,1641051-1641052,1641058,1641064,1641300,1641369,1641374,1641380,1641486,1641634,1641656-1641692,1641704,1641707-1641718,1641720-1641722,1641735,1641981,1642233,1642280,1642554,1642564,1642595,1642606,1642668,1642679,1642697,1642699,1642766,1643002,1643045,1643054-1643055,1643066,1643121,1643128,1643206,1643209-1643210,1643216,1643249,1643270,1643283,1643309-1643310,1643323,1643365-1643366,1643370-1643371,1643465,1643474,1643536,1643570,1643634,1643649,1643651,1643654,1643675,1643731,1643733-1643734,1643761,1643766,1643814,1643937,1643963,1644017,1644169,1644201-1644203,1644321,1644323,1644516,1644523,1644529,1644535,1644730,1644768,1644784-1644785,1644790,1644793,1644815,1644884,1644886,1644890,1644892
,1644910,1644924,1644929-1644930,1644935,1644989,1645011,1645247,1645355,1645357-1645358,1645455,1645465,1645469,1645471,1645473,1645475,1645486-1645488,1645626,1645641,1645685,1645743,1645763,1645951-1645953,1645955,1645993,1646098-1646106,1646178,1646220,1646302,1646304,1646420,1646470-1646471,1646476,1646559,1646717-1646723,1646773,1647026,1647042,1647530,1647655,1648304,1648815,1648907,1650081,1650365,1651116,1651120,1651280,1651470,1652938,1652970,1653041,1653471,1653550,1653574,1653797,1653815-1653816,1653819,1653840,1653857,1653888,1653972,1654013,1654030,1654050,1654123,1654148,1654159,1654513,1654515,1654517,1654522,1654524,1654725,1654735,1654766,1654785,1654851-1654852,1654978,1655122-1655124,1655126-1655127,1655129-1655130,1655132-1655133,1655312,1655438,1655441,1655454,1655558,1656087,1656299,1656319,1656331,1656345,1656350,1656590,1656648-1656650,1656657,1657041,1657054,1657374,1657492,1657510,1657565,1657580,1657584,1657586,1657589,1657592,1657607,1657609,1657682,1657
907,1658207,1658734,1658781,1658790,1658799,1658802,1658804,1658833,1658840,1658966,1659043,1659053,1659059,1659188-1659189,1659216,1659263,1659293,1659304,1659306-1659307,1659382,1659384,1659428,1659471,1659486,1659505,1659516,1659521,1659524,1659559,1659562,1659803,1659806,1659814,1659833,1659862,1659905,1659919,1659948,1659967,1659983-1659984,1660060,1660074,1660077,1660133,1660168,1660331-1660332,1660353,1660358,1660924,1661386,1661867,1661972,1661990,1662200,1662308-1662309,1662548,1662614,1662736,1662985,1662988-1662989,1663264,1663277,1663298,1663534,1663562,1663676,1663715,1663754,1663768,1663772,1663781,1663893,1663995,1664143,1664163,1664174,1664301,1664317,1664347,1664657,1664659,1664710,1664863-1664864,1664866,1665085,1665292,1665559,1665653,1665661,1665672,1665694,1665697,1665736,1665779,1665976-1665977,1665980-1665981,1665985-1665986,1665989,1665998,1666004,1666008,1666013,1666017,1666024,1666116,1666386-1666387,1666494,1666496,1666552,1666569,1666579,1666637,1666649,1
666757,1666966,1666972,1666985,1666995,1666997,1667292,1667402,1667406,1667546,1667615,1667630,1667636,1667688,1667764,1667871,1668026,1668135,1668193,1668593,1668596,1668630,1668639,1668843,1669353,1669370,1669451,1669800,1669838,1669876,1669882,1670394,1670433,1670591,1670598-1670600,1670610,1670631,1670719,1670724,1670726,1670730,1670940,1671112,1672272,1672284,1673754,1674294,1675461,1675486,1675594,1675830,1676231,1676250-1676251,1676364,1676381,1676393,1676479,1676525,1676552,1676615,1676630,1676634,1676721,1676926,1676943,1677140,1677802,1678011,1678162,1678174,1678339,1678426-1678427,1678694,1678701,1679534,1679708,1679710,1679716
Modified: tomcat/tc8.0.x/trunk/conf/web.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/conf/web.xml?rev=1679988&r1=1679987&r2=1679988&view=diff
==============================================================================
--- tomcat/tc8.0.x/trunk/conf/web.xml (original)
+++ tomcat/tc8.0.x/trunk/conf/web.xml Mon May 18 11:06:41 2015
@@ -395,6 +395,46 @@
<!-- ================== Built In Filter Definitions ===================== -->
+ <!-- A filter that sets various security related HTTP Response headers. -->
+ <!-- This filter supports the following initialization parameters -->
+ <!-- (default values are in square brackets): -->
+ <!-- -->
+ <!-- hstsEnabled Should the HTTP Strict Transport Security -->
+ <!-- (HSTS) header be added to the response? See -->
+ <!-- RFC 6797 for more information on HSTS. [true] -->
+ <!-- -->
+ <!-- hstsMaxAgeSeconds The max age value that should be used in the -->
+ <!-- HSTS header. Negative values will be treated -->
+ <!-- as zero. [0] -->
+ <!-- -->
+ <!-- hstsIncludeSubDomains -->
+ <!-- Should the includeSubDomains parameter be -->
+ <!-- included in the HSTS header. -->
+ <!-- -->
+ <!-- antiClickJackingEnabled -->
+ <!-- Should the anti click-jacking header -->
+ <!-- X-Frame-Options be added to every response? -->
+ <!-- [true] -->
+ <!-- -->
+ <!-- antiClickJackingOption -->
+ <!-- What value should be used for the header. Must -->
+ <!-- be one of DENY, SAMEORIGIN, ALLOW-FROM -->
+ <!-- (case-insensitive). [DENY] -->
+ <!-- -->
+ <!-- antiClickJackingUri IF ALLOW-FROM is used, what URI should be -->
+ <!-- allowed? [] -->
+ <!-- -->
+ <!-- blockContentTypeSniffingEnabled -->
+ <!-- Should the header that blocks content type -->
+ <!-- sniffing be added to every response? [true] -->
+<!--
+ <filter>
+ <filter-name>httpHeaderSecurity</filter-name>
+
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
+ <async-supported>true</async-supported>
+ </filter>
+-->
+
<!-- A filter that sets character encoding that is used to decode -->
<!-- parameters in a POST request -->
<!--
@@ -483,6 +523,15 @@
<!-- ==================== Built In Filter Mappings ====================== -->
+ <!-- The mapping for the HTTP header security Filter -->
+<!--
+ <filter-mapping>
+ <filter-name>httpHeaderSecurity</filter-name>
+ <url-pattern>/*</url-pattern>
+ <dispatcher>REQUEST</dispatcher>
+ </filter-mapping>
+-->
+
<!-- The mapping for the Set Character Encoding Filter -->
<!--
<filter-mapping>
Modified: tomcat/tc8.0.x/trunk/java/org/apache/catalina/filters/CorsFilter.java
URL:
http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/java/org/apache/catalina/filters/CorsFilter.java?rev=1679988&r1=1679987&r2=1679988&view=diff
==============================================================================
--- tomcat/tc8.0.x/trunk/java/org/apache/catalina/filters/CorsFilter.java
(original)
+++ tomcat/tc8.0.x/trunk/java/org/apache/catalina/filters/CorsFilter.java Mon
May 18 11:06:41 2015
@@ -79,9 +79,7 @@ import org.apache.tomcat.util.res.String
public final class CorsFilter implements Filter {
private static final Log log = LogFactory.getLog(CorsFilter.class);
-
- private static final StringManager sm =
- StringManager.getManager(Constants.Package);
+ private static final StringManager sm =
StringManager.getManager(Constants.Package);
/**
Modified: tomcat/tc8.0.x/trunk/java/org/apache/catalina/filters/FilterBase.java
URL:
http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/java/org/apache/catalina/filters/FilterBase.java?rev=1679988&r1=1679987&r2=1679988&view=diff
==============================================================================
--- tomcat/tc8.0.x/trunk/java/org/apache/catalina/filters/FilterBase.java
(original)
+++ tomcat/tc8.0.x/trunk/java/org/apache/catalina/filters/FilterBase.java Mon
May 18 11:06:41 2015
@@ -35,8 +35,7 @@ import org.apache.tomcat.util.res.String
*/
public abstract class FilterBase implements Filter {
- protected static final StringManager sm =
- StringManager.getManager(Constants.Package);
+ protected static final StringManager sm =
StringManager.getManager(Constants.Package);
protected abstract Log getLogger();
Copied:
tomcat/tc8.0.x/trunk/java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java
(from r1678339,
tomcat/trunk/java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java)
URL:
http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java?p2=tomcat/tc8.0.x/trunk/java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java&p1=tomcat/trunk/java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java&r1=1678339&r2=1679988&rev=1679988&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java
(original)
+++
tomcat/tc8.0.x/trunk/java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java
Mon May 18 11:06:41 2015
@@ -17,6 +17,8 @@
package org.apache.catalina.filters;
import java.io.IOException;
+import java.net.URI;
+import java.net.URISyntaxException;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
@@ -43,6 +45,17 @@ public class HttpHeaderSecurityFilter ex
private boolean hstsIncludeSubDomains = false;
private String hstsHeaderValue;
+ // Click-jacking protection
+ private static final String ANTI_CLICK_JACKING_HEADER_NAME =
"X-Frame-Options";
+ private boolean antiClickJackingEnabled = true;
+ private XFrameOption antiClickJackingOption = XFrameOption.DENY;
+ private URI antiClickJackingUri;
+ private String antiClickJackingHeaderValue;
+
+ // Block content sniffing
+ private static final String BLOCK_CONTENT_TYPE_SNIFFING_HEADER_NAME =
"X-Content-Type-Options";
+ private static final String BLOCK_CONTENT_TYPE_SNIFFING_HEADER_VALUE =
"nosniff";
+ private boolean blockContentTypeSniffingEnabled = true;
@Override
public void init(FilterConfig filterConfig) throws ServletException {
@@ -55,6 +68,14 @@ public class HttpHeaderSecurityFilter ex
hstsValue.append(";includeSubDomains");
}
hstsHeaderValue = hstsValue.toString();
+
+ // Anti click-jacking
+ StringBuilder cjValue = new
StringBuilder(antiClickJackingOption.headerValue);
+ if (antiClickJackingOption == XFrameOption.ALLOW_FROM) {
+ cjValue.append(':');
+ cjValue.append(antiClickJackingUri);
+ }
+ antiClickJackingHeaderValue = cjValue.toString();
}
@@ -68,9 +89,20 @@ public class HttpHeaderSecurityFilter ex
// HSTS
if (hstsEnabled && request.isSecure() && response instanceof
HttpServletResponse) {
- ((HttpServletResponse) response).addHeader(HSTS_HEADER_NAME,
hstsHeaderValue);
+ ((HttpServletResponse) response).setHeader(HSTS_HEADER_NAME,
hstsHeaderValue);
+ }
+
+ // anti click-jacking
+ if (antiClickJackingEnabled && response instanceof
HttpServletResponse) {
+ ((HttpServletResponse) response).setHeader(
+ ANTI_CLICK_JACKING_HEADER_NAME,
antiClickJackingHeaderValue);
}
+ // Block content type sniffing
+ if (blockContentTypeSniffingEnabled && response instanceof
HttpServletResponse) {
+ ((HttpServletResponse)
response).setHeader(BLOCK_CONTENT_TYPE_SNIFFING_HEADER_NAME,
+ BLOCK_CONTENT_TYPE_SNIFFING_HEADER_VALUE);
+ }
chain.doFilter(request, response);
}
@@ -106,7 +138,7 @@ public class HttpHeaderSecurityFilter ex
public void setHstsMaxAgeSeconds(int hstsMaxAgeSeconds) {
if (hstsMaxAgeSeconds < 0) {
- hstsMaxAgeSeconds = 0;
+ this.hstsMaxAgeSeconds = 0;
} else {
this.hstsMaxAgeSeconds = hstsMaxAgeSeconds;
}
@@ -121,4 +153,80 @@ public class HttpHeaderSecurityFilter ex
public void setHstsIncludeSubDomains(boolean hstsIncludeSubDomains) {
this.hstsIncludeSubDomains = hstsIncludeSubDomains;
}
+
+
+
+ public boolean isAntiClickJackingEnabled() {
+ return antiClickJackingEnabled;
+ }
+
+
+
+ public void setAntiClickJackingEnabled(boolean antiClickJackingEnabled) {
+ this.antiClickJackingEnabled = antiClickJackingEnabled;
+ }
+
+
+
+ public String getAntiClickJackingOption() {
+ return antiClickJackingOption.toString();
+ }
+
+
+ public void setAntiClickJackingOption(String antiClickJackingOption) {
+ for (XFrameOption option : XFrameOption.values()) {
+ if
(option.getHeaderValue().equalsIgnoreCase(antiClickJackingOption)) {
+ this.antiClickJackingOption = option;
+ return;
+ }
+ }
+ throw new IllegalArgumentException(
+ sm.getString("httpHeaderSecurityFilter.clickjack.invalid",
antiClickJackingOption));
+ }
+
+
+
+ public String getAntiClickJackingUri() {
+ return antiClickJackingUri.toString();
+ }
+
+
+ public boolean isBlockContentTypeSniffingEnabled() {
+ return blockContentTypeSniffingEnabled;
+ }
+
+
+ public void setBlockContentTypeSniffingEnabled(
+ boolean blockContentTypeSniffingEnabled) {
+ this.blockContentTypeSniffingEnabled = blockContentTypeSniffingEnabled;
+ }
+
+
+ public void setAntiClickJackingUri(String antiClickJackingUri) {
+ URI uri;
+ try {
+ uri = new URI(antiClickJackingUri);
+ } catch (URISyntaxException e) {
+ throw new IllegalArgumentException(e);
+ }
+ this.antiClickJackingUri = uri;
+ }
+
+
+ private static enum XFrameOption {
+ DENY("DENY"),
+ SAME_ORIGIN("SAMEORIGIN"),
+ ALLOW_FROM("ALLOW-FROM");
+
+
+ private final String headerValue;
+
+ private XFrameOption(String headerValue) {
+ this.headerValue = headerValue;
+ }
+
+ public String getHeaderValue() {
+ return headerValue;
+ }
+ }
}
Modified:
tomcat/tc8.0.x/trunk/java/org/apache/catalina/filters/LocalStrings.properties
URL:
http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/java/org/apache/catalina/filters/LocalStrings.properties?rev=1679988&r1=1679987&r2=1679988&view=diff
==============================================================================
---
tomcat/tc8.0.x/trunk/java/org/apache/catalina/filters/LocalStrings.properties
(original)
+++
tomcat/tc8.0.x/trunk/java/org/apache/catalina/filters/LocalStrings.properties
Mon May 18 11:06:41 2015
@@ -40,4 +40,7 @@ expiresFilter.filterInitialized=Filter i
expiresFilter.expirationHeaderAlreadyDefined=Request "{0}" with response
status "{1}" content-type "{2}", expiration header already defined
expiresFilter.skippedStatusCode=Request "{0}" with response status "{1}"
content-type "{1}", skip expiration header generation for given status
+httpHeaderSecurityFilter.committed=Unable to add HTTP headers since response
is already committed on entry to the HTTP header security Filter
+httpHeaderSecurityFilter.clickjack.invalid=An invalid value [{0}] was
specified for the anti click-jacking header
+
remoteIpFilter.invalidLocation=Failed to modify the rewrite location [{0}] to
use scheme [{1}] and port [{2}]
\ No newline at end of file
Modified: tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml?rev=1679988&r1=1679987&r2=1679988&view=diff
==============================================================================
--- tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml Mon May 18 11:06:41 2015
@@ -47,6 +47,12 @@
<section name="Tomcat 8.0.23 (markt)" rtext="in development">
<subsection name="Catalina">
<changelog>
+ <add>
+ <bug>54618</bug>: Add a new <code>HttpHeaderSecurityFilter</code> that
+ adds the <code>Strict-Transport-Security</code>,
+ <code>X-Frame-Options</code> and <code>X-Content-Type-Options</code>
+ HTTP headers to the response. (markt)
+ </add>
<fix>
<bug>57875</bug>: Add <code>javax.websocket.*</code> to the classes for
which the web application class loader always delegates first. (markt)
Modified: tomcat/tc8.0.x/trunk/webapps/docs/config/filter.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/webapps/docs/config/filter.xml?rev=1679988&r1=1679987&r2=1679988&view=diff
==============================================================================
--- tomcat/tc8.0.x/trunk/webapps/docs/config/filter.xml (original)
+++ tomcat/tc8.0.x/trunk/webapps/docs/config/filter.xml Mon May 18 11:06:41 2015
@@ -697,6 +697,86 @@ FINE: Request "/docs/config/manager.html
</section>
+<section name="HTTP Header Security Filter">
+
+ <subsection name="Introduction">
+
+ <p>There are a number of HTTP headers that can be added to the response to
+ improve the security of the connection. This filter provides a mechanism
for
+ adding those headers. Note that security related headers with more complex
+ requirements, like CORS, are implemted as separate Filters.</p>
+
+ </subsection>
+
+ <subsection name="Filter Class Name">
+
+ <p>The filter class name for the HTTP Header Security Filter is
+ <strong><code>org.apache.catalina.filters.HttpHeaderSecurityFilter</code>
+ </strong>.</p>
+
+ </subsection>
+
+ <subsection name="Initialisation parameters">
+
+ <p>The HTTP Header Security Filter supports the following initialization
+ parameters:</p>
+
+ <attributes>
+
+ <attribute name="hstsEnabled" required="false">
+ <p>Will an HTTP Strict Transport Security (HSTS) header
+ (<code>Strict-Transport-Security</code>) be set on the response for
+ secure requests. Any HSTS header already present will be replaced. See
+ <a href="http://tools.ietf.org/html/rfc6797";>RFC 6797</a> for further
+ details of HSTS. If not specified, the default value of
+ <code>true</code> will be used.</p>
+ </attribute>
+
+ <attribute name="hstsMaxAgeSeconds" required="false">
+ <p>The max age value that should be used in the HSTS header. Negative
+ values will be treated as zero. If not specified, the default value of
+ <code>0</code> will be used.</p>
+ </attribute>
+
+ <attribute name="hstsIncludeSubDomains" required="false">
+ <p>Should the includeSubDomains parameter be included in the HSTS
+ header. If not specified, the default value of <code>false</code> will
+ be used.</p>
+ </attribute>
+
+ <attribute name="antiClickJackingEnabled" required="false">
+ <p>Should the anti click-jacking header (<code>X-Frame-Options</code>)
+ be set on the response. Any anti click-jacking header already present
+ will be replaced. If not specified, the default value of
+ <code>true</code> will be used.</p>
+ </attribute>
+
+ <attribute name="antiClickJackingOption" required="false">
+ <p>What value should be used for the ant click-jacking header? Must be
+ one of <code>DENY</code>, <code>SAMEORIGIN</code>,
+ <code>ALLOW-FROM </code> (case-insensitive). If not specified, the
+ default value of <code>DENY</code> will be used.</p>
+ </attribute>
+
+ <attribute name="antiClickJackingUri" required="false">
+ <p>IF ALLOW-FROM is used for <strong>antiClickJackingOption</strong>,
+ what URI should be allowed? If not specified, the default value of an
+ empty string will be used.</p>
+ </attribute>
+
+ <attribute name="blockContentTypeSniffingEnabled" required="false">
+ <p>Should the header that blocks content type sniffing
+ (<code>X-Content-Type-Options</code>) be set on every response. If
+ already present, the header will be replaced. If not specified, the
+ default value of <code>true</code> will be used.</p>
+ </attribute>
+
+ </attributes>
+
+ </subsection>
+
+</section>
+
<section name="Remote Address Filter">
<subsection name="Introduction">
Modified: tomcat/tc8.0.x/trunk/webapps/docs/security-howto.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/webapps/docs/security-howto.xml?rev=1679988&r1=1679987&r2=1679988&view=diff
==============================================================================
--- tomcat/tc8.0.x/trunk/webapps/docs/security-howto.xml (original)
+++ tomcat/tc8.0.x/trunk/webapps/docs/security-howto.xml Mon May 18 11:06:41
2015
@@ -477,6 +477,13 @@
can be configured and used to reject requests that had errors during
request parameter parsing. Without the filter the default behaviour is
to ignore invalid or excessive parameters.</p>
+
+ <p><a href="config/filter.html">HttpHeaderSecurityFilter</a> can be
+ used to add headers to responses to improve security. If clients access
+ Tomcat directly, then you probably want to enable this filter and all the
+ headers it sets unless your application is already setting them. If Tomcat
+ is accessed via a reverse proxy, then the configuration of this filter
needs
+ to be co-ordinated with any headers that the reverse proxy sets.</p>
</section>
<section name="General">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
