-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Joseph,
As per list conventions, I'm posting at the bottom. I'll copy over the relevant parts of your XML. On 10/29/2015 1:03 PM, Walsh, Joseph wrote: > Konstantin.... good afternoon .. > > my servers are being scanned by a "security Center" by Tenable-- > complaining --server is not returning x-frame-option heading -- I > can confirm this with Mozilla firebug.. > > within the tomcat\conf\web.xml file there is "built in filters" > > as I have configured below: (thinking maybe "syntax" in incorrect ? > ) I was hoping to see the response header change--and have the > x-frame-option added to it ... > > thank you joe [Apache Tomcat newbie].... > > > <!-- ================== Built In Filter Definitions > ===================== --> > > <!-- A filter that sets various security related HTTP Response > headers. --> <!-- This filter supports the following > initialization parameters --> <!-- (default values are in > square brackets): --> <!-- > --> <!-- hstsEnabled Should the HTTP Strict Transport > Security --> <!-- (HSTS) header be added > to the response? See --> <!-- RFC 6797 for > more information on HSTS. [true] --> <!-- > --> <!-- hstsMaxAgeSeconds The max age value that should be > used in the --> <!-- HSTS header. Negative > values will be treated --> <!-- as zero. > [0] --> <!-- > --> <!-- hstsIncludeSubDomains > --> <!-- Should the includeSubDomains > parameter be --> <!-- included in the > HSTS header. --> <!-- > --> <!-- antiClickJackingEnabled > --> <!-- Should the anti click-jacking header > --> <!-- X-Frame-Options be added to every > response? --> <!-- [true] > --> <!-- > --> <!-- antiClickJackingOption > --> <!-- What value should be used for the > header. Must --> <!-- be one of DENY, > SAMEORIGIN, ALLOW-FROM --> <!-- > (case-insensitive). [DENY] --> <!-- > --> <!-- antiClickJackingUri IF ALLOW-FROM is used, what URI > should be --> <!-- allowed? [] > --> <!-- > --> <!-- blockContentTypeSniffingEnabled > --> <!-- Should the header that blocks > content type --> <!-- sniffing be added > to every response? [true] --> > > <filter> <filter-name>httpHeaderSecurity</filter-name> > <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</fi lter-class> > > <hstsEnabled>true</hstsEnabled> > <antiClickJackingEnabled>true</antiClickJackingEnabled> > <antiClickJackingOption>SAMEORIGIN</antiClickJackingEnabled> > <async-supported>true</async-supported> </filter> > > Joe W Email jwa...@bnl.gov > > > -----Original Message----- From: Konstantin Kolinko > [mailto:knst.koli...@gmail.com] Sent: Thursday, October 29, 2015 > 3:43 PM To: Tomcat Users List Subject: Re: X-FRame-Option > > 2015-10-29 22:35 GMT+03:00 Walsh, Joseph <jwa...@bnl.gov>: >> good afternoon all... >> >> I have been recently been "relocated" within our IT dept and now >> tasked with supporting Apache Tomcat on windows... Our cyber >> dept scanner has identified my app as vulnerable to clickjacking >> ... >> >> Anyone have any luck adding the X-Frame-Option in a windows >> environment? I have tried using the built in filter with no luck >> ...seems plenty of fixes but all I find seems to be geared >> towards a Unix install... currently running Apache Tomcat vers >> 8.0.26 > > > If you expect others to reproduce your result, you have to provide > exact steps (like in a good bug report) and "what you have seen" > and "what you have expected". > > Beware of typos in your configuration. > > Best regards, Konstantin Kolinko Here is the relevant portion of your web.xml: <filter> <filter-name>httpHeaderSecurity</filter-name> <filter-class> org.apache.catalina.filters.HttpHeaderSecurityFilter </filter-class> <hstsEnabled>true</hstsEnabled> <antiClickJackingEnabled>true</antiClickJackingEnabled> <antiClickJackingOption>SAMEORIGIN</antiClickJackingEnabled> <async-supported>true</async-supported> </filter> Sorry for the formatting, but line wrap messes things up. The above doesn't follow the 3.1 specification for deployment descriptors (web.xml) and you should have seen all sorts of error messages in your log files. To set up init parameters for a servlet filter, you'll need to set up the following block for each init parameter <init-param> <param-name></param-name> <param-value></param-value> </init-param> For example: <init-param> <param-name>AntiClickJackingEnabled></param-name> <param-value>true</param-value> </init-param> Note that the above is the default, so it shouldn't have to be specified . This block goes in between the <filter></filter> tag set. That's 1/2 of the issue. You then have to tell the container what URLs you wish the filter to be applied to. That's done in a <filter-mapping></filter-mapping> tag set. There is one for the httpHeaderSecurity filter already present in the distributed web.xml. It is commented out. Uncomment that and with the above changes you should be good to go. Here's the result on my Windows 7 machine for localhost:8080/ : HTTP/1.1 200 OK Server: Apache-Coyote/1.1 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Content-Type: text/html;charset=UTF-8 Transfer-Encoding: chunked Date: Thu, 29 Oct 2015 23:34:46 GMT Reading the servlet specification is a good thing to do. It's short, and pretty reasonably written. just my two cents . . . /mde/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBAgAGBQJWMq3jAAoJEEFGbsYNeTwtgDIH/jfeFqARTqXsSpBmQmeyp2SJ EDjw2uRiTUanBcchM0kx3Uc++9sEEbwB3sL5qpgEXrROUXw86xe65GD1zMi1LFQy z9QFxqm43K6MREiXtQWaAD6B9J7J6IYqI38VJPibjk80fmEk+Fne3wIE+GZdB9l3 JrF4c9veEb+MurnV1uiUFcm+R9Ixw1+hgl5C0bKJYVu4c2Vr7y1z40YaAFyrYyoP CxGmUPTdZAkIpGwkon/yBKR+lz1BXI2KXbXKXgA+tqd5mfBUUAQPQDAZ8FHFhyYw RxCgJnWsNnSsJU8DPs6xnwOJ4XOk3drmhjEsMFGUU0HdQkMqDBgL0115Ol7YPJ8= =a2jm -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
