Configuring HTTP Header Security Filter
HTTP Header Security Filter settings are part of the Apache Tomcat configuration and by default, the HTTP Header Security Filter is disabled.
In some cases, it is necessary to prevent the possibility of Panopticon being loaded inside an iframe of a web page that is running on a different server. If a web application can be loaded in any iframe, it can become a target of a clickjacking attack. A web application that allows loading into an iframe is said to give a frameable response. The HTTP Header Security Filter can also be used for enabling HTTP Strict Transport Security and Cross-Site Scripting protection.
To enable a HTTP Header Security Filter in Apache Tomcat, select one of the following:
q To create a filter that applies to all web applications running on the same Tomcat server, configure the filter in the file $CATALINA_BASE/conf/web.xml.
q To create a filter that applies to Panopticon only, configure the filter in the file $CATALINA_BASE/webapps/panopticon/WEB-INF/web.xml.
Apache Tomcat 9.0 documentation is available on https://tomcat.apache.org/tomcat-9.0-doc/config/filter.html#HTTP_Header_Security_Filter
The filter class name is org.apache.catalina.filters.HttpHeaderSecurityFilter and in the default $CATALINA_BASE/conf/web.xml, you will find a commented-out filter of this kind by searching for that filter class name. It has a filter-name which is httpHeaderSecurity.
In addition to the filter configuration, mapping must also be enabled for the filter. The default $CATALINA_BASE/conf/web.xml contains a commented-out filter mapping for the filter-name httpHeaderSecurity.
· The filter and the filter mapping must match by the filter-name.
· Filter mapping comes after the filter definition.
· By simply de-commenting the filter named httpHeaderSecurity and the filter mapping for the same filter-name, and then restarting Tomcat, you will enable a HTTP Header Security Filter where:
o The parameter hstsEnabled is applied with a default value true.
o The parameter hstsMaxAgeSeconds is applied with a default value 0.
o The parameter hstsIncludeSubDomains is applied with a default value false.
o The parameter hstsPreload is applied with a default value false.
o The parameter antiClickJackingEnabled is applied with a default value true.
o The parameter antiClickJackingOption is applied with a default value DENY.
o The parameter blockContentTypeSniffingEnabled is applied with a default value true.
o The parameter xssProtectionEnabled is applied with a default value true.
o The filter-mapping applies to all URLs on the server.