Tomcat 7.0.63 and above. Navigate to the tomcat conf directory and open the web.xml with a text editor.
In the filter section of the web.xml add the following filter <filter> <filter-name>httpHeaderSecurity</filter-name> <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class> <init-param> <param-name>antiClickJackingOption</param-name> <param-value>SAMEORIGIN</param-value> </init-param> </filter> In the filter mapping section of the web.xml add the following. <filter-mapping> <filter-name>httpHeaderSecurity</filter-name> <url-pattern>/*</url-pattern> <dispatcher>REQUEST</dispatcher> </filter-mapping> Dream * Excel * Explore * Inspire Jon McAlexander Asst Vice President Middleware Product Engineering Enterprise CIO | Platform Services | Middleware | Infrastructure Solutions 8080 Cobblestone Rd | Urbandale, IA 50322 MAC: F4469-010 Tel 515-988-2508 | Cell 515-988-2508 jonmcalexan...@wellsfargo.com This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. -----Original Message----- From: jam...@touchtonecorp.com <jam...@touchtonecorp.com> Sent: Wednesday, October 2, 2019 12:35 AM To: Tomcat Users List <users@tomcat.apache.org> Subject: Security issue involving HTTP response headers We have a customer who is particularly concerned about security. We just updated their Tomcat, which solved all the issues coming up in their security scan, except for one involving the following HTTP headers: X-FRAME-OPTIONS X-XSS-PROTECTION X-CONTENT-TYPE-OPTIONS and strict transport security. The environment is Tomcat 7.0.93, JSSE, running on an AS/400. Is this something to be fixed in a configuration file, or the webapp, or someplace else? -- JHHL --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org