Showing posts with label Web server. Show all posts
Showing posts with label Web server. Show all posts

Friday, December 15, 2017

How to handle HTTP Header related issue in Apache


By following below steps you can suppress following HTTP Header related security issues in web applications those are hosted in apache web server.
  • Web Browser XSS Protection Not Enabled
  • X-Frame option Header not set
  • X-Content-Type-Options header missing  
  • Incomplete or No Cache-control and Pragma HTTP Header Set


These issues can be handled by placing following lines in httpd.conf of apache web server.

Header set X-XSS-Protection “1; mode=block”
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
Header always append X-Frame-Options DENY
Header set X-Content-Type-Options nosniff
Header set Content-Security-Policy "default-src 'self';"


For this mod_hedaers module also need to be enabled. so uncomment the following Load Module line:

LoadModule headers_module modules/mod_headers.so


Now doing security audit test again, you can see these issues are handled properly. 
Posted by Gnanz at 5:14 AM 0 comments
Labels: , , , , , , , , ,

Handling HTTP Header related security issues in Tomcat 8 web applications


The following issues are the commonly occurs in security audit report of any java web applications

  • Web Browser XSS Protection Not Enabled
  • X-Frame option Header not set
  • X-Content-Type-Options header missing  
  • Incomplete or No Cache-control and Pragma HTTP Header Set

Tomcat 8 provides, support for following http header 


  • X-Frame-Options – to prevent clickjacking attack
  • X-XSS-Protection – to avoid cross-site scripting attack
  • X-Content-Type-Options – block content type sniffing
  • HSTS – add strict transport security

To utilize this option we need to follow simple steps. Just uncomment the following lines in Tomcat's web.xml files (\conf\web.xml).

<filter>
     <filter-name>HeaderSecurityFilter</filter-name> 
     <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
 </filter>
<filter-mapping>
      <filter-name>HeaderSecurityFilter</filter-name>
      <url-pattern>/*</url-pattern>
 </filter-mapping>

Remember it is not applications individual web.xml files. it is tomcat's web.xml. after uncommenting these lines. restart the tomcat and redo the security audit. you can see the issues are handled.
Posted by Gnanz at 5:00 AM 0 comments
Labels: , , , , , , , , , , ,
Subscribe to: Posts (Atom)