Configuring HTTP Header Security Filter

HTTP Header Security Filter settings are part of the Apache Tomcat configuration and by default, the HTTP Header Security Filter is disabled.

In some cases, it is necessary to prevent the possibility of Panopticon being loaded inside an iframe of a web page that is running on a different server. If a web application can be loaded in any iframe, it can become a target of a clickjacking attack. A web application that allows loading into an iframe is said to give a frameable response. The HTTP Header Security Filter can also be used for enabling HTTP Strict Transport Security and Cross-Site Scripting protection.

To enable a HTTP Header Security Filter in Apache Tomcat, select one of the following:

q  To create a filter that applies to all web applications running on the same Tomcat server, configure the filter in the file $CATALINA_BASE/conf/web.xml.

q  To create a filter that applies to Panopticon only, configure the filter in the file $CATALINA_BASE/webapps/panopticon/WEB-INF/web.xml.

Apache Tomcat 9.0 documentation is available on https://tomcat.apache.org/tomcat-9.0-doc/config/filter.html#HTTP_Header_Security_Filter.

The filter class name is org.apache.catalina.filters.HttpHeaderSecurityFilter and in the default $CATALINA_BASE/conf/web.xml, you will find a commented-out filter of this kind by searching for that filter class name. It has a filter-name which is httpHeaderSecurity.

In addition to the filter configuration, mapping must also be enabled for the filter. The default $CATALINA_BASE/conf/web.xml contains a commented-out filter mapping for the filter-name httpHeaderSecurity.