Enabling Secure HTTP Header in Apache Tomcat 8.5

Installing Arbortext Publishing Engine > Arbortext Publishing Engine Installation > Security > Enabling Secure HTTP Header in Apache Tomcat 8.5

Secure HTTP Headers provide protection against Cross-Site Scripting (XSS) attacks, cross-site request forgery, and other unauthorized actions.

To enable secure HTTP Header in Apache Tomcat, PTC recommends following steps. These steps will set the following:

• X-Frame-Options: DENY

• X-Content-Type-Options: nosniff

• X-XSS-Protection: 1; mode=block

It is recommended to take a backup of any configuration file before making changes in it.

1. Open <Tomcat install directory>\conf\web.xml in a text editor.

2. Uncomment the following filter (by default, it is commented):

<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
async-supported>true</async-supported>
</filter>

3. Add the following immediately after the above filter:

<filter-mapping>
<filter-name>httpHeaderSecurity</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>

4. Save web.xml.