Injecting HTTP Response with the secure header can mitigate most of the web security vulnerabilities.
If you are managing production environment or payment related application, then you will also be asked by security/penetration testing team to implement necessary HTTP header to comply with PCI-DSS security standard.
Having secure header instruct browser to do or not to do certain things to prevent certain security attack.
Most of you might be using a web server like Apache, Nginx, IIS in front of Tomcat so you may implement the headers directly in web server.
However, if you don’t have any web server in front or need to implement directly in Tomcat then good news if you are using Tomcat 8.
Tomcat 8 has added support for following HTTP response headers.
- X-Frame-Options – to prevent clickjacking attack
- X-XSS-Protection – to avoid cross-site scripting attack
- X-Content-Type-Options – block content type sniffing
- HSTS – add strict transport security
I’ve tested with Apache Tomcat 8.5.15 on Digital Ocean Linux (CentOS distro) server.
Note: If you are looking for overall hardening & security then you may refer this guide.
As a best practice, take a backup of necessary configuration file before making changes or test in a non-production environment.
- Login to Tomcat server
- Go to the conf folder under path where Tomcat is installed
- Uncomment the following filter (by default it’s commented)
<filter> <filter-name>httpHeaderSecurity</filter-name> <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class> <async-supported>true</async-supported> </filter>
By uncommenting above, you instruct Tomcat to support HTTP Header Security filter.
- Add the following just after the above filter
<filter-mapping> <filter-name>httpHeaderSecurity</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
By adding above you instruct Tomcat to inject the HTTP Header in all the application URL.
- Restart the Tomcat and access the application to verify the headers.
You may use an online tool to verify the header or use F12 on a browser to inspect.
Here is quick filter reference taken from a web.xml file.
<!-- ================== Built In Filter Definitions ===================== --> <!-- A filter that sets various security related HTTP Response headers. --> <!-- This filter supports the following initialization parameters --> <!-- (default values are in square brackets): --> <!-- --> <!-- hstsEnabled Should the HTTP Strict Transport Security --> <!-- (HSTS) header be added to the response? See --> <!-- RFC 6797 for more information on HSTS. [true] --> <!-- --> <!-- hstsMaxAgeSeconds The max age value that should be used in the --> <!-- HSTS header. Negative values will be treated --> <!-- as zero.  --> <!-- --> <!-- hstsIncludeSubDomains --> <!-- Should the includeSubDomains parameter be --> <!-- included in the HSTS header. --> <!-- --> <!-- antiClickJackingEnabled --> <!-- Should the anti click-jacking header --> <!-- X-Frame-Options be added to every response? --> <!-- [true] --> <!-- --> <!-- antiClickJackingOption --> <!-- What value should be used for the header. Must --> <!-- be one of DENY, SAMEORIGIN, ALLOW-FROM --> <!-- (case-insensitive). [DENY] --> <!-- --> <!-- antiClickJackingUri IF ALLOW-FROM is used, what URI should be --> <!-- allowed?  --> <!-- --> <!-- blockContentTypeSniffingEnabled --> <!-- Should the header that blocks content type --> <!-- sniffing be added to every response? [true] -->
Enabling secure header in Tomcat 8 is straightforward, and as an administrator, you should plan to implement them for better security.
If you are new to Tomcat, you may be interested in taking this Apache Tomcat administration course.