Hello Olaf, Thanks for your response!
Based on your inputs, we are thinking to put Apache httpd in front of Tomcat 6 server, since our header configuration is going to be static. Can you please help us in identifying which version of Apache HTTP Server we can use for Tomcat 6 version? Also, it will be great if you can share some guidelines on how to implement Apache in front of Tomcat. Regards, Mohammad Nayeem -----Original Message----- From: Olaf Kock [mailto:tom...@olafkock.de] Sent: 29 May 2017 13:53 To: users@tomcat.apache.org Subject: Re: Security Headers Implementation in Tomcat 6.x version Am 29.05.2017 um 07:59 schrieb Shaik, Mohammad N.: > We are using Tomcat 6.x version and we need to implement the following > headers in our environment. > > Headers: > 1) Strict-Transport-Security > 2) Content-Security-Policy > .... > 7) X-Robots-Tag > > When I checked the Tomcat 6 version webpage > (https://urldefense.proofpoint.com/v2/url?u=https-3A__tomcat.apache.org_tomcat-2D6.0-2Ddoc_config_filter.html&d=DwIC-g&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=n7KdPZPxHJiaMMRttjzNEDRaQq4sRDfs3q027rnDxLU&m=MluZR_Lq5a0pPtOi3Req6Md1UeKkctbV-mPOCjQsSUU&s=MmEr4IILdgkhxtcFHmAb7ZO1pGl9B2Gek5dFuSCIBKw&e= > ), I don't see any filters that implement any these headers. Some of them > are available in Tomcat 7 version webpage > (https://urldefense.proofpoint.com/v2/url?u=https-3A__tomcat.apache.org_tomcat-2D7.0-2Ddoc_config_filter.html&d=DwIC-g&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=n7KdPZPxHJiaMMRttjzNEDRaQq4sRDfs3q027rnDxLU&m=MluZR_Lq5a0pPtOi3Req6Md1UeKkctbV-mPOCjQsSUU&s=aSZ5lgpIY-aPi2TSYp6DDNykQA9QFD8ImYaIKp70gUA&e= > ), but we cannot upgrade to Tomcat 7.x version due to some constraints. > > Can you kindly guide me how to implement these headers in Tomcat 6.x version. > All your comments on this topic are welcome. As tomcat 6 is solid out of service for almost half a year already (see https://urldefense.proofpoint.com/v2/url?u=http-3A__tomcat.apache.org_tomcat-2D60-2Deol.html&d=DwIC-g&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=n7KdPZPxHJiaMMRttjzNEDRaQq4sRDfs3q027rnDxLU&m=MluZR_Lq5a0pPtOi3Req6Md1UeKkctbV-mPOCjQsSUU&s=4Z8PWPmO-QMztdwYP9hAotZazIQFlsSUO5SfDxrVjG4&e= ), you're between a rock and a hard place: Invest in a platform that's a potential security threat (it won't get any more updates) or invest in an upgrade. That out of the way, for most cases, just have an Apache httpd in front of tomcat and use its magic to tag most of your headers. For many it will be static configuration. If there's anything dynamic that you need, implement a servlet filter that just does the job. Hardcode it - you don't need a lot of configuration if you come up with a solution that's just used within your premises. If you have multiple web applications that all need the same filter, deploy the filter on all of them. Olaf --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org ________________________________ This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. ______________________________________________________________________________________ www.accenture.com --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org