Zitat von mpachmann am 20. November 2024, 9:05 Uhr

https://geekflare.com/tomcat-http-security-header/

However, if you don’t have any web server in front or need to implement directly in Tomcat then good news if you are using Tomcat 8.

Tomcat 8 has added support for following HTTP response headers.

• X-Frame-Options – to prevent clickjacking attack
• X-XSS-Protection – to avoid cross-site scripting attack
• X-Content-Type-Options – block content type sniffing
• HSTS – add strict transport security

I’ve tested with Apache Tomcat 8.5.15 on Digital Ocean Linux (CentOS distro) server.

Note: If you are looking for overall hardening & security then you may refer this guide.

As a best practice, take a backup of necessary configuration file before making changes or test in a non-production environment.

• Login to Tomcat server
• Go to the conf folder under path where Tomcat is installed
• Uncomment the following filter (by default it’s commented)

    <filter>
        <filter-name>httpHeaderSecurity</filter-name>
        <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
        <async-supported>true</async-supported>
    </filter>

By uncommenting above, you instruct Tomcat to support HTTP Header Security filter.

• Add the following just after the above filter

<filter-mapping>
    <filter-name>httpHeaderSecurity</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

By adding above you instruct Tomcat to inject the HTTP Header in all the application URL.

• Restart the Tomcat and access the application to verify the headers.