I haven't done this myself, though I have written other filters. If you have a reverse proxy in front of tomcat anyway, it is conventional to implement your security headers there rather than in tomcat.
But I'm afraid I can't comment on the best way to do this. M. . On Wed, 19 Sep 2018, 19:23 Tezarin, <teza...@yahoo.com.invalid> wrote: > Mark, > > Thank you for your prompt reply. Right now my other alternative would be > to modify the nginx entry for Guacamole and add the line below to the > config file, I was consulting the info found on this page: > https://gist.github.com/plentz/6737338 > > # Content Security Policy (CSP) enabledadd_header Content-Security-Policy > "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; > img-src 'self'; style-src 'self'; font-src 'self'; object-src 'none'"; > > Not sure if that would work, but can you please elaborate on the custom > filter? Do you have any examples for the CSP so I can use for the Guacamole? > > Thanks > > > > > > On Wednesday, September 19, 2018, 9:35:57 AM EDT, Mark Nolan < > mano...@gmail.com> wrote: > > Difficult to know what your exact requirements are. For samples of CSP > headers, you can look here: > https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP > > I don't have any specific experience with CSP, but to add custom headers, > you will need to use a filter. > > I thought the http header security filter might do it, but it looks like it > doesn't. You should still consider it: > https://tomcat.apache.org/tomcat-8.0-doc/config/filter.html. > > Other than that, you will probably need to write a custom filter, which is > what I have always ended up doing for odd header requirements. > > Mark > . > > > On Wed, 19 Sep 2018, 18:12 Tezarin, <teza...@yahoo.com.invalid> wrote: > > > Hi, > > I need to implement an Content Security Policy (CSP) for the guacamole > web > > application. This is done via http headers added to the response from the > > tomcat server running guacamole. So here are the questions I would ask > > myself: > > 1. How do I add HTTP headers to a tomcat server or guacamole > > configuration? If I cannot do it easily, how do I add them to an nginx > > config for a proxied application?2. What is the format of the CSP > header?3. > > What is a good CSP policy to implement to cover what we need? > > I was just wondering how if anyone has done this before. Any help would > be > > much appreciated. I am using Guacamole inside docker containers. > > Thanks > > >
