Security Headers Implementation in Tomcat 6.x version

794 views

We are using Tomcat 6.x version and we need to implement the following headers in our environment.

Headers:
1) Strict-Transport-Security
2) Content-Security-Policy
3) Public-Key-Pins
4) X-Frame-Options
5) X-XSS-Protection
6) X-Content-Type-Options
7) X-Robots-Tag

When I checked the Tomcat 6 version webpage (https://tomcat.apache.org/tomcat-6.0-doc/config/filter.html), I don't see any filters that implement any these headers. Some of them are available in Tomcat 7 version webpage (https://tomcat.apache.org/tomcat-7.0-doc/config/filter.html), but we cannot upgrade to Tomcat 7.x version due to some constraints.

Can you kindly guide me how to implement these headers in Tomcat 6.x version. All your comments on this topic are welcome.

posted May 29, 2017 by anonymous

Looking for an answer? Promote on:

Facebook Share Button

Twitter Share Button

LinkedIn Share Button

Similar Questions

0 votes

Does heartbleeding bug impact on Tomcat 6.x, 7.x and 8.x

Does heartbleeding bug impact on Tomcat 6.x, 7.x and 8.x ? I noticed that Tomcat native connector version 1.1.22 uses : OpenSSL 0.9.8 which doesn't have the heartbleeding bug, but 1.1.24 and 1.1.29 also include the buggy openssl.

How can I find which version of Tomcat uses which version of Tomcat native connector ? For example, how can I figure out which version of Tomcat native connector is used by Tomcat 7.0 build 47.

+1 vote

Tomcat 8 Websocket API: Cookies & Headers

I'm trying to figure out how to get access to the cookies and headers passed up in the Websocket handshake request on Tomcat 8.

In Tomcat 7 the whole HttpServletRequest was passed into the WebSocketServlet. createWebSocketInbound method so it was easy to grab from the request headers. In Tomcat 8 the querystring and URI are both exposed by the javax.websocket.Session passed to ServerEndPoint.onOpen, but I don't see a mechanism for getting the cookies or headers.

We are integrating Websocket connections into an existing web app and want to use the cookies set by our web app in the Websocket connection process.

0 votes

Is the current Tomcat 7 servlet websocket implementation being deprecated?

Is it true that current servlet-based websocket implementation will be deprecated due to the implementation of the JSR-356. We are currently implementing a Tomcat 7-based websocket server implementation that we hoped could scale up to at least 50K concurrent connections [or more], but are concerned if there are any known issues and/or limitations with the websocket implementation in Tomcat 7.

We are currently trying to test how high Tomcat 7 will scale with regards to the maximum number of concurrent websocket connections, but have already hit some problems with only 200 concurrent connections. Perhaps it's our multi-threaded client, or Tomcat configuration - not sure at this point. We have the Tomcat Connector configured with maxConnections=50000 and maxThreads=1000, so 200 concurrent connections shouldn't be a problem.

If anyone could elaborate on the Tomcat 7 servlet websocket implementation stability from a highly concurrent aspect that would be great. Additionally, if anyone has achieved 10(s) of 1000(s) of concurrent websocket connections with Tomcat 7, can you share how Tomcat was configured, what OS it was running on, and what client library you used in testing this?

0 votes

Tomcat Websocket Implementation

I'm looking into a solution that will make extensive use of websockets. Details are unimportant, but here's the question that I'd like to have some insight into. The current implementation (official example) seems independent of the JSR 356.
Is work underway to implement the javax.websocket.* objects, or is what's in org.apache.catalina.websocket it for the enforceable future?

0 votes

Application Deployment in Tomcat 7.X

We are using tomcat 7.X for our project. So far we deploy only one application in tomcat.

Now we are planning to deploy one more application with existing one.

There is requirement that failure of deployment of new application should not affect existing application deployment and tomcat startup. As per my understanding, If any application deployment fails, Tomcat startup will fail.

Please let us know if there is any way to start the tomcat in case of failure of one application deployment also.

...