If you are managing production environment or payment related application, then you will also be asked by security/penetration testing team to implement necessary HTTP header to comply with PCI-DSS security standard. Having secure header instruct browser to do or not to do certain things to prevent certain security attack. Most of you might be using a web server like Apache, Nginx, IIS in front of Tomcat so you may implement the headers directly in web server. However, if you don’t have any web server in front or need to implement directly in Tomcat then good news if you are using Tomcat 8. Tomcat 8 has added support for following HTTP response headers.
X-Frame-Options – to prevent clickjacking attack X-XSS-Protection – to avoid cross-site scripting attack X-Content-Type-Options – block content type sniffing HSTS – add strict transport security
I’ve tested with Apache Tomcat 8.5.15 on Digital Ocean Linux (CentOS distro) server. Note: If you are looking for overall hardening & security then you may refer this guide. As a best practice, take a backup of necessary configuration file before making changes or test in a non-production environment.
Login to Tomcat server Go to the conf folder under path where Tomcat is installed Uncomment the following filter (by default it’s commented)
By uncommenting above, you instruct Tomcat to support HTTP Header Security filter.
Add the following just after the above filter
By adding above you instruct Tomcat to inject the HTTP Header in all the application URL.
Restart the Tomcat and access the application to verify the headers.
You may use an online tool to verify the header or use F12 on a browser to inspect. Here is quick filter reference taken from a web.xml file. Enabling secure header in Tomcat 8 is straightforward, and as an administrator, you should plan to implement them for better security. If you are new to Tomcat, you may be interested in taking this Apache Tomcat administration course.
