Konstantin.... good afternoon ..
my servers are being scanned by a "security Center" by Tenable--
complaining --server is not returning x-frame-option heading --
I can confirm this with Mozilla firebug..
within the tomcat\conf\web.xml file there is "built in filters"
as I have configured below: (thinking maybe "syntax" in incorrect ? )
I was hoping to see the response header change--and have the x-frame-option
added to it ...
thank you
joe
[Apache Tomcat newbie]....
<!-- ================== Built In Filter Definitions ===================== -->
<!-- A filter that sets various security related HTTP Response headers. -->
<!-- This filter supports the following initialization parameters -->
<!-- (default values are in square brackets): -->
<!-- -->
<!-- hstsEnabled Should the HTTP Strict Transport Security -->
<!-- (HSTS) header be added to the response? See -->
<!-- RFC 6797 for more information on HSTS. [true] -->
<!-- -->
<!-- hstsMaxAgeSeconds The max age value that should be used in the -->
<!-- HSTS header. Negative values will be treated -->
<!-- as zero. [0] -->
<!-- -->
<!-- hstsIncludeSubDomains -->
<!-- Should the includeSubDomains parameter be -->
<!-- included in the HSTS header. -->
<!-- -->
<!-- antiClickJackingEnabled -->
<!-- Should the anti click-jacking header -->
<!-- X-Frame-Options be added to every response? -->
<!-- [true] -->
<!-- -->
<!-- antiClickJackingOption -->
<!-- What value should be used for the header. Must -->
<!-- be one of DENY, SAMEORIGIN, ALLOW-FROM -->
<!-- (case-insensitive). [DENY] -->
<!-- -->
<!-- antiClickJackingUri IF ALLOW-FROM is used, what URI should be -->
<!-- allowed? [] -->
<!-- -->
<!-- blockContentTypeSniffingEnabled -->
<!-- Should the header that blocks content type -->
<!-- sniffing be added to every response? [true] -->
<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<hstsEnabled>true</hstsEnabled>
<antiClickJackingEnabled>true</antiClickJackingEnabled>
<antiClickJackingOption>SAMEORIGIN</antiClickJackingEnabled>
<async-supported>true</async-supported>
</filter>
Joe W
Email jwa...@bnl.gov
-----Original Message-----
From: Konstantin Kolinko [mailto:knst.koli...@gmail.com]
Sent: Thursday, October 29, 2015 3:43 PM
To: Tomcat Users List
Subject: Re: X-FRame-Option
2015-10-29 22:35 GMT+03:00 Walsh, Joseph <jwa...@bnl.gov>:
> good afternoon all...
>
> I have been recently been "relocated" within our IT dept and now
> tasked with supporting Apache Tomcat on windows... Our cyber dept scanner
> has identified my app as vulnerable to clickjacking ...
>
> Anyone have any luck adding the X-Frame-Option in a windows environment?
> I have tried using the built in filter with no luck ...seems plenty of fixes
> but all I find seems to be geared towards a Unix install...
> currently running Apache Tomcat vers 8.0.26
If you expect others to reproduce your result, you have to provide exact steps
(like in a good bug report) and "what you have seen" and "what you have
expected".
Beware of typos in your configuration.
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
