-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Dwarak,
On 3/31/15 5:27 AM, D, Dwarakesh wrote: > One of our application is running on Tomcat and the requests are > being redirected by Apache to Tomcat. Do you mean proxied and not redirected? > When we did vulnerability scan for that application, we have > encountered Cross-site scripting vulnerability. For remediating > this, I have added below snippet in httpd.conf file and did a > fresh scan. > But still the vulnerability is visible in the scan report. Can you > advise me how to put a fix for this. Do you actually understand the vulnerability? It may be fixed but the tool is too stupid to be able to detect it. Or, you may have patched it incorrectly. Would you care to post the CVE, and maybe where you got the solution? > Below lines are added in the httpd.conf file and the apache version > is 2.2.11 Header always append X-Frame-Options SAMEORIGIN Header > edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure You should make sure that the Set-Cookie header modification is appropriate; some cookies might need to work in non-secure contexts. You are better-off making sure that cookies are not created unless the context is secure, and that they always have the "Secure" flag. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVGox5AAoJEBzwKT+lPKRY1QkP/10RqULXCmJ6cWhfFbCfrfcf czRpOPdo8jOi0Z6EufqaLbr5dmI4bJSOKvu4bjOhl3XBGAvL/Rv9gLuBo4k77rhr zzyo4nKZh0nsOZWNNAT4BF97xJVZNYlH/z2nL1Cnv1SBHgbx5+qjlXPX3kxIcx3k rLh/9xHLi4rSguT2DagIwUpqiNSIYzxaCq4Lxwcafah2JVUHSO7bHA2a52yh4Xv1 xx3hR8MAsBimIlORwMvA2umInQjlSk1oKiqsfaEZdEYkezMK6/pt6rqNU1mWq1Lf YW5ypIDDf/u7veTL7KUuUlBwxjsOwByqzIXkDbF2hTMrZxI5V57nf14+83JmbNrT jZT+qps3gnm8H14/pxkum6K96TPKG8K7NDRQY5I4AJF1TuP1YQBiPcYUI06m7JdQ VDwoPd6/jOSgvTEGv/vHgJ/drfxFMHKkg3KtLCMef5gkxODKwHQnUUWBPL+I9nNt JJTmJ2kmBfBg1kja/2TyUy8hglAh024obUIiFInIEcmExozxXd4CsDcDp6rwVst3 oncUIb037pmon01wZ4hcDpcYgeB95H1AVqUpQ+yqvf7V8kPLh8JRxmttUmsqocp6 f7qsC4l8w5YZOVjF+0C0Y69S2FJ/O2WZYztE03k2igUsx/rz4YZh4w/JiE0cblUO k2EM6H0ccKJtIykNDq3x =OX2B -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org