Re: Setting security response headers when Valve returns error..

[Mark Thomas]

On 09/06/2023 19:34, Amit Pande wrote:

Hello,

Wanted some inputs on setting HSTS (or other response headers) when returning 
error from a valve.

The server.xml has the valve "org.apache.catalina.valves.RemoteAddrValve" 
configured with a deny status of HTTP 404.

Also, the Tomcat's web.xml has 
"org.apache.catalina.filters.HttpHeaderSecurityFilter" confugred.

The requirement is to set the security related headers even when the request is denied 
from the  "org.apache.catalina.valves.RemoteAddrValve", which I don't see being 
set.

What is the right way to address such requirement?

Did I miss anything here?


Valves are before filters in the processing chain. If a Valve rejects a 
request, a Filter will never see it.


If you switched to the RemoteAddrFilter, you could control the order the 
Filters are applied.


Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Setting security response headers when Valve returns error..

[Amit Pande]

Hello,

Wanted some inputs on setting HSTS (or other response headers) when returning 
error from a valve.

The server.xml has the valve "org.apache.catalina.valves.RemoteAddrValve" 
configured with a deny status of HTTP 404.

Also, the Tomcat's web.xml has 
"org.apache.catalina.filters.HttpHeaderSecurityFilter" confugred.

The requirement is to set the security related headers even when the request is 
denied from the  "org.apache.catalina.valves.RemoteAddrValve", which I don't 
see being set.

What is the right way to address such requirement?

Did I miss anything here?

Thanks,
Amit