Enabling Secure HTTP Header in Apache Tomcat
Secure HTTP Headers provide protection against Cross-Site Scripting (XSS) attacks, cross-site request forgery, and other unauthorized actions.
To enable secure HTTP Header in Apache Tomcat, PTC recommends following steps. These steps will set the following:
• X-Frame-Options: DENY
• X-Content-Type-Options: nosniff
• X-XSS-Protection: 1; mode=block
|
It is recommended to take a backup of any configuration file before making changes in it.
|
1. Open <Tomcat install directory>\conf\web.xml in a text editor.
2. Uncomment the following filter (by default, it is commented):
<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
async-supported>true</async-supported>
</filter>
3. Add the following immediately after the above filter:
<filter-mapping>
<filter-name>httpHeaderSecurity</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
4. Save web.xml.