How to add X-Content-Type-Options to tomcat configuration
Solution 1
I think you can achieve it on Tomcat level by the following steps:
- create your filter, package it into jar, put jar into
$CATALINA_BASE/lib/
- add filter definition into
$CATALINA_BASE/conf/web.xml
Solution 2
If you're using Tomcat 8, it's really easy - add these two sections to your web.xml:
<filter>
<filter-name>HeaderSecurityFilter</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>HeaderSecurityFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
The server response now has 'nosniff' and X-Frame-Options: DENY by default
More detail: Tomcat 8 Filter Configuration
Solution 3
Sample filter class code.
public class SampleResponseFilter implements Filter {
@Override
public void destroy() { }
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException
{
HttpServletRequest req = (HttpServletRequest) request;
HttpServletResponse res = (HttpServletResponse) response;
// Protection against Type 1 Reflected XSS attacks
res.addHeader("X-XSS-Protection", "1; mode=block");
// Disabling browsers to perform risky mime sniffing
res.addHeader("X-Content-Type-Options", "nosniff");
chain.doFilter(req,res);
}
@Override
public void init(FilterConfig filterConfig) throws ServletException { }
}
Solution 4
To supplement on the answer by Ed Noriss. If I just use a filter mappen like this
<filter-mapping>
<filter-name>HeaderSecurityFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
to target everything, there will be some unnecessary headers (x-xss-protection and X-Frame-Options) when loading media-resources such as jpg, png etc. (according to https://sonarwhal.com linting tool).
In order to avoid theses I've created two filters and mappings like this:
<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<async-supported>true</async-supported>
</filter>
<filter>
<filter-name>httpHeaderSecurityNoX</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<init-param>
<param-name>antiClickJackingEnabled</param-name>
<param-value>false</param-value>
</init-param>
<init-param>
<param-name>xssProtectionEnabled</param-name>
<param-value>false</param-value>
</init-param>
<async-supported>true</async-supported>
</filter>
...
<filter-mapping>
<filter-name>httpHeaderSecurity</filter-name>
<url-pattern>*.jsp</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
<filter-mapping>
<filter-name>httpHeaderSecurityNoX</filter-name>
<url-pattern>*.jpg</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
<filter-mapping>
<filter-name>httpHeaderSecurityNoX</filter-name>
<url-pattern>*.png</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
and several more filter mappings hitting httpHeaderSecurityNoX for each of these extensions: png, gif, js, css, ico (maybe it could be contained in one single url-pattern?)
The init-param
xssProtectionEnabled
was not listed in the Tomcat web.xml comments, but found it here
https://vk4u.wordpress.com/2017/03/02/how-to-enable-security-filters-in-tomcat/
happenask
hi, i am Biginner java developer. i have a lot of question about java web and i hope to learn java skill a lot although my english skill is low , i am going to do many activities in here i will keep going to become the best developer in the world
Updated on July 09, 2022Comments
-
happenask almost 2 years
My client want me to fix Web App vulnerability of My Web App below is message about vulnerability of My Web App
The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'
This check is specific to Internet Explorer 8 and Google Chrome. Ensure each page sets a >Content-Type header and the X-CONTENT-TYPE-OPTIONS if the Content-Type header is unknown
Although I already found some solution to this issue , I am looking for solution from tomcat configuration. Is it possible to make changes to tomcat configuration to accomplish this?
please give me any idea.
-
happenask almost 10 yearscan you explain in more detail?
-
potato almost 10 yearsSure, what you do is create a custom implementation of
javax.servlet.Filter
(let's name itorg.happenask.filter.ContentTypeOptionsFilter
), package it into jar with maven or whatever, drop it into$CATALINA_BASE/lib/
and after that define it inweb.xml
as filter with name/mapping that you want and set filter class to<filter-class>org.happenask.filter.ContentTypeOptionsFilter</filter-class>