Can Tomcat 7 be configured to insert “Content-Security-Policy” HTTP header?
Can Tomcat 7 be configured to insert Content-Security-Policy: frame-ancestors \'self\' HTTP header with every response, like it can insert other security relate
-
Once it cannot be achieved with Tomcat 7.x built in filters, you could try one of the following options:
Creating a filter in your application
If adding a filter to your application is an option, you could use the following code to add a header to every response:
@WebFilter("/*") public class MyFilter implements Filter { @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { HttpServletResponse httpResponse = (HttpServletResponse) response; httpResponse.setHeader("Content-Security-Policy", "frame-ancestors 'self'"); chain.doFilter(request, response); } }Creating a custom valve in your Tomcat
Another option is a custom valve. Quoting the steps from this page:
Create a Maven Java Application.
Add the following dependency:
<dependency> <groupid>org.apache.tomcat</groupId> <artifactid>tomcat-catalina</artifactId> <version>7.0.34</version> <scope>provided</scope> </dependency>Create your Java class and extend it from ValveBase.
Implement the invoke(Request, Response) method.
Build your library (
.jar) fileInstall the library in the
${tomcat.home}/libdirectory.Configure the
server.xmlto use your new valve. For example:
<valve className="com.example.MyValve"/>- Start the server to see your new valve in action
Your valve implementation could be like:
public class MyValve extends ValveBase { @Override public void invoke(Request request, Response response) throws IOException, ServletException { HttpServletResponse httpResponse = response.getResponse(); httpResponse.setHeader("Content-Security-Policy", "frame-ancestors 'self'"); getNext().invoke(request, response); } }讨论(0)
加载中...
- 热议问题