Note: already asked the tomcat mailing list without receiving any reply
I'm trying to configure the header x-frame-options in tomcat8 web.xml: <filter> <filter-name>httpHeaderSecurity</filter-name> <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class> <async-supported>true</async-supported> <init-param> <param-name>antiClickJackingOption</param-name> <param-value>SAMEORIGIN</param-value> </init-param> </filter> <filter-mapping> <filter-name>httpHeaderSecurity</filter-name> <url-pattern>/*</url-pattern> <dispatcher>REQUEST</dispatcher> </filter-mapping> Testing it with tomcat works as expected: curl -I http://ip_of_tomcat:port_of_tomcat/myapp/ HTTP/1.1 200 OK Strict-Transport-Security: max-age=31536000;includeSubDomains X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Set-Cookie: JSESSIONID=5B3F02AE2484BB1A66B1875DCC4337BD.myapp1; Path=/myapp; Secure; HttpOnly Content-Type: text/html;charset=ISO-8859-1 Transfer-Encoding: chunked Date: Thu, 25 Jun 2020 12:36:14 GMT Server: Testing it with tomcat behind an apache reverse proxy with mod_proxy_http does not work as expected web.xml: the same as above server.xml <Connector port="port_of_tomcat" protocol="HTTP/1.1" server=" " connectionTimeout="20000" ProxyPort="443" ProxyName="xframe.example.coms" scheme="https" secure="true" redirectPort="port_of_tomcat_plus_one" /> apache.conf <VirtualHost ip_of_tomcat:80> ServerName xframe.example.com ProxyPass / http://ip_of_tomcat:port_of_tomcat/ ProxyPassReverse / http://ip_of_tomcat:port_of_tomcat/ </VirtualHost> curl -I https://xframe.example.com/myapp/ HTTP/1.1 200 OK Date: Thu, 25 Jun 2020 13:20:48 GMT Server: Strict-Transport-Security: max-age=31536000;includeSubDomains X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Content-Type: text/html;charset=ISO-8859-1 Transfer-Encoding: chunked Set-Cookie: JSESSIONID=7F94B0FFC3905A6CA4B4C192E0559AF4.myapp1; Path=/myapp; Secure; HttpOnly Vary: Accept-Encoding,User-Agent The x-frame-options header is missing. The only workaround I have found is by enabling mod_headers in apache.conf, i.e: <IfModule headers_module> <IfVersion >= 2.4.7 > Header always setifempty X-Frame-Options SAMEORIGIN </IfVersion> <IfVersion < 2.4.7 > Header always merge X-Frame-Options SAMEORIGIN </IfVersion> </IfModule> And it finally works: curl -I https://xframe.example.com/myapp/ HTTP/1.1 200 OK Date: Thu, 25 Jun 2020 13:24:48 GMT Server: X-Frame-Options: SAMEORIGIN Strict-Transport-Security: max-age=31536000;includeSubDomains X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Content-Type: text/html;charset=ISO-8859-1 Transfer-Encoding: chunked Set-Cookie: JSESSIONID=990791DCF707F972D7C2CF09D47F4BE4.myapp1; Path=/myapp; Secure; HttpOnly Vary: Accept-Encoding,User-Agent Is it possible to use x-frame-options with mod_proxy without also having to use mod_headers? I would like to configure only tomcat and not apache. -- Michele Masè -- Michele Masè