Hi Olayemi,
Am 26.03.2019 09:36, schrieb Olayemi Olatunji:
Hello,
I'm deploying an application on Tomcat 9 which a client has requested
we conduct vulnerability test on.
The test came back with missing headers for the following:
Content-Security-Policy, X-Frame-Options, X-XSS-Protection,
X-Content-Type-Options, Referrer-Policy, Feature-Policy.
How can this be resolved/patched?
Per se this can be done by enabling the
org.apache.catalina.filters.HttpHeaderSecurityFilter in the global or
your webappâs web.xml
This will solve quite a few of the vulnerability scanner findings.
For Content-Security-Policy (CSP) you should write your own Filter. The
CSP finding is a pain for legacy applications. CSP is nothing that can
be enabled without application knowhow, the right settings for your
needs and intensive testing. You may really break inline Javascript in
your pages (css too).
Please check out the great websites of Scott Helme on the Headers
https://Securityheaders.io or https://scotthelme.co.uk/csp-cheat-sheet/
Feature Policy is quite new and I would not deem that relevant for
legacy applications (that don't use features like GPS, rotation,
microphone).
Kind regards
Olayemi
Best regards
Peter
BTW: may I suggest you use the search function on the user list (eg:
https://tomcat.apache.org/lists.html#tomcat-users -> MARC, MarkMail,
Nabble). This question has been asked before quite a few times.
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
