Geekflare is supported by our audience. We may earn affiliate commissions from buying links on this site.
In Tomcat Last updated: September 6, 2022
Share on:
Invicti Web Application Security Scanner – the only solution that delivers automatic verification of vulnerabilities with Proof-Based Scanning™.

Injecting HTTP Response with the secure header can mitigate most of the web security vulnerabilities.

If you are managing production environment or payment related application, then you will also be asked by security/penetration testing team to implement necessary HTTP header to comply with PCI-DSS security standard.

Having secure header instruct browser to do or not to do certain things to prevent certain security attack.

Most of you might be using a web server like Apache, Nginx, IIS in front of Tomcat so you may implement the headers directly in web server.

However, if you don’t have any web server in front or need to implement directly in Tomcat then good news if you are using Tomcat 8.

Tomcat 8 has added support for following HTTP response headers.

  • X-Frame-Options – to prevent clickjacking attack
  • X-XSS-Protection – to avoid cross-site scripting attack
  • X-Content-Type-Options – block content type sniffing
  • HSTS – add strict transport security

I’ve tested with Apache Tomcat 8.5.15 on Digital Ocean Linux (CentOS distro) server.

Note: If you are looking for overall hardening & security then you may refer this guide.

As a best practice, take a backup of necessary configuration file before making changes or test in a non-production environment.

  • Login to Tomcat server
  • Go to the conf folder under path where Tomcat is installed
  • Uncomment the following filter (by default it’s commented)

By uncommenting above, you instruct Tomcat to support HTTP Header Security filter.

  • Add the following just after the above filter

By adding above you instruct Tomcat to inject the HTTP Header in all the application URL.

  • Restart the Tomcat and access the application to verify the headers.

You may use an online tool to verify the header or use F12 on a browser to inspect.

Here is quick filter reference taken from a web.xml file.

<!-- ================== Built In Filter Definitions ===================== -->
 <!-- A filter that sets various security related HTTP Response headers.   -->
  <!-- This filter supports the following initialization parameters         -->
  <!-- (default values are in square brackets):                             -->
  <!--                                                                      -->
  <!--   hstsEnabled         Should the HTTP Strict Transport Security      -->
  <!--                       (HSTS) header be added to the response? See    -->
  <!--                       RFC 6797 for more information on HSTS. [true]  -->
  <!--                                                                      -->
  <!--   hstsMaxAgeSeconds   The max age value that should be used in the   -->
  <!--                       HSTS header. Negative values will be treated   -->
  <!--                       as zero. [0]                                   -->
  <!--                                                                      -->
  <!--   hstsIncludeSubDomains                                              -->
  <!--                       Should the includeSubDomains parameter be      -->
  <!--                       included in the HSTS header.                   -->
  <!--                                                                      -->
  <!--   antiClickJackingEnabled                                            -->
  <!--                       Should the anti click-jacking header           -->
  <!--                       X-Frame-Options be added to every response?    -->
  <!--                       [true]                                         -->
  <!--                                                                      -->
  <!--   antiClickJackingOption                                             -->
  <!--                       What value should be used for the header. Must -->
  <!--                       be one of DENY, SAMEORIGIN, ALLOW-FROM         -->
  <!--                       (case-insensitive). [DENY]                     -->
  <!--                                                                      -->
  <!--   antiClickJackingUri IF ALLOW-FROM is used, what URI should be      -->
  <!--                       allowed? []                                    -->
  <!--                                                                      -->
  <!--   blockContentTypeSniffingEnabled                                    -->
  <!--                       Should the header that blocks content type     -->
  <!--                       sniffing be added to every response? [true]    -->

Enabling secure header in Tomcat 8 is straightforward, and as an administrator, you should plan to implement them for better security.

If you are new to Tomcat, you may be interested in taking this Apache Tomcat administration course.

  • Chandan Kumar
    As the founder of Geekflare, I’ve helped millions to excel in the digital realm. Passionate about technology, I’m on a mission to explore the world and amplify growth for professionals and businesses alike.
Thanks to our Sponsors
More great readings on Tomcat
Power Your Business
Some of the tools and services to help your business grow.
  • Invicti uses the Proof-Based Scanning™ to automatically verify the identified vulnerabilities and generate actionable results within just hours.
    Try Invicti
  • Web scraping, residential proxy, proxy manager, web unlocker, search engine crawler, and all you need to collect web data.
    Try Brightdata
  • is an all-in-one work OS to help you manage projects, tasks, work, sales, CRM, operations, workflows, and more.
    Try Monday
  • Intruder is an online vulnerability scanner that finds cyber security weaknesses in your infrastructure, to avoid costly data breaches.
    Try Intruder