Skip to content

Commit d564fc9

Browse files
committed
set the headers rather than add them
Add header names to the docs and make clear that any existing headers will be replaced. Add the filter tot he security howto git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@1679716 13f79535-47bb-0310-9956-ffa450edef68
1 parent aabecea commit d564fc9

3 files changed

Lines changed: 22 additions & 11 deletions

File tree

java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -89,18 +89,18 @@ public void doFilter(ServletRequest request, ServletResponse response,
8989

9090
// HSTS
9191
if (hstsEnabled && request.isSecure() && response instanceof HttpServletResponse) {
92-
((HttpServletResponse) response).addHeader(HSTS_HEADER_NAME, hstsHeaderValue);
92+
((HttpServletResponse) response).setHeader(HSTS_HEADER_NAME, hstsHeaderValue);
9393
}
9494

9595
// anti click-jacking
9696
if (antiClickJackingEnabled && response instanceof HttpServletResponse) {
97-
((HttpServletResponse) response).addHeader(
97+
((HttpServletResponse) response).setHeader(
9898
ANTI_CLICK_JACKING_HEADER_NAME, antiClickJackingHeaderValue);
9999
}
100100

101101
// Block content type sniffing
102102
if (blockContentTypeSniffingEnabled && response instanceof HttpServletResponse) {
103-
((HttpServletResponse) response).addHeader(BLOCK_CONTENT_TYPE_SNIFFING_HEADER_NAME,
103+
((HttpServletResponse) response).setHeader(BLOCK_CONTENT_TYPE_SNIFFING_HEADER_NAME,
104104
BLOCK_CONTENT_TYPE_SNIFFING_HEADER_VALUE);
105105
}
106106
chain.doFilter(request, response);

webapps/docs/config/filter.xml

Lines changed: 12 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -724,9 +724,11 @@ FINE: Request "/docs/config/manager.html" with response status "200"
724724
<attributes>
725725

726726
<attribute name="hstsEnabled" required="false">
727-
<p>Will an HTTP Strict Transport Security (HSTS) header be added to the
728-
response. See <a href="http://tools.ietf.org/html/rfc6797">RFC 6797</a>
729-
for further details of HSTS. If not specified, the default value of
727+
<p>Will an HTTP Strict Transport Security (HSTS) header
728+
(<code>Strict-Transport-Security</code>) be set on the response for
729+
secure requests. Any HSTS header already present will be replaced. See
730+
<a href="http://tools.ietf.org/html/rfc6797">RFC 6797</a> for further
731+
details of HSTS. If not specified, the default value of
730732
<code>true</code> will be used.</p>
731733
</attribute>
732734

@@ -743,8 +745,9 @@ FINE: Request "/docs/config/manager.html" with response status "200"
743745
</attribute>
744746

745747
<attribute name="antiClickJackingEnabled" required="false">
746-
<p>Should the anti click-jacking <code>X-Frame-Options</code> be added
747-
to the response. If not specified, the default value of
748+
<p>Should the anti click-jacking header (<code>X-Frame-Options</code>)
749+
be set on the response. Any anti click-jacking header already present
750+
will be replaced. If not specified, the default value of
748751
<code>true</code> will be used.</p>
749752
</attribute>
750753

@@ -762,9 +765,10 @@ FINE: Request "/docs/config/manager.html" with response status "200"
762765
</attribute>
763766

764767
<attribute name="blockContentTypeSniffingEnabled" required="false">
765-
<p>Should the header that blocks content type sniffing be added to every
766-
response. If not specified, the default value of <code>true</code> will
767-
be used.</p>
768+
<p>Should the header that blocks content type sniffing
769+
(<code>X-Content-Type-Options</code>) be set on every response. If
770+
already present, the header will be replaced. If not specified, the
771+
default value of <code>true</code> will be used.</p>
768772
</attribute>
769773

770774
</attributes>

webapps/docs/security-howto.xml

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -468,6 +468,13 @@
468468
can be configured and used to reject requests that had errors during
469469
request parameter parsing. Without the filter the default behaviour is
470470
to ignore invalid or excessive parameters.</p>
471+
472+
<p><a href="config/filter.html">HttpHeaderSecurityFilter</a> can be
473+
used to add headers to responses to improve security. If clients access
474+
Tomcat directly, then you probably want to enable this filter and all the
475+
headers it sets unless your application is already setting them. If Tomcat
476+
is accessed via a reverse proxy, then the configuration of this filter needs
477+
to be co-ordinated with any headers that the reverse proxy sets.</p>
471478
</section>
472479

473480
<section name="General">

0 commit comments

Comments
 (0)