The following issues are the commonly occurs in security audit report of any java web applications
- Web Browser XSS Protection Not Enabled
- X-Frame option Header not set
- X-Content-Type-Options header missing
- Incomplete or No Cache-control and Pragma HTTP Header Set
Tomcat 8 provides, support for following http header
- X-Frame-Options – to prevent clickjacking attack
- X-XSS-Protection – to avoid cross-site scripting attack
- X-Content-Type-Options – block content type sniffing
- HSTS – add strict transport security
To utilize this option we need to follow simple steps. Just uncomment the following lines in Tomcat's web.xml files (\conf\web.xml).
<filter>
<filter-name>HeaderSecurityFilter</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>HeaderSecurityFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
Remember it is not applications individual web.xml files. it is tomcat's web.xml. after uncommenting these lines. restart the tomcat and redo the security audit. you can see the issues are handled.
No comments:
Post a Comment