Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable Tomcat's HttpHeaderSecurityFilter #20058

Closed
wezell opened this issue Mar 8, 2021 · 2 comments · Fixed by #20061
Closed

Enable Tomcat's HttpHeaderSecurityFilter #20058

wezell opened this issue Mar 8, 2021 · 2 comments · Fixed by #20061
Labels
Changelog: Skip Not customer facing and never seen by customers issues Merged OKR : Security & Privacy Owned by Mehdi QA : Approved QA : Passed Internal Release : 5.3.8.6 Included in LTS patch release 5.3.8.6 Release : 21.03 Type : Enhancement

Comments

@wezell
Copy link
Contributor

wezell commented Mar 8, 2021

Tomcat ships with a filter that will add Security related headers to a tomcat installation. Now that we ship with SSL on by default https://local.dotcms.site:8443 by default, we should also turn on this filter as well. I believe our OTB settings should be something like:

https://tomcat.apache.org/tomcat-9.0-doc/config/filter.html#HTTP_Header_Security_Filter

hstsEnabled=true
hstsMaxAgeSeconds=3600
hstsIncludeSubDomains=true
antiClickJackingEnabled=true
antiClickJackingOption=SAMEORIGIN
blockContentTypeSniffingEnabled=true
xssProtectionEnabled=true
@wezell wezell added this to the Maintenance Sprint milestone Mar 8, 2021
wezell added a commit that referenced this issue Mar 8, 2021
@wezell
#20058 turn on security options
e116c9c
This was linked to pull requests Mar 8, 2021
#20058 turn on security options #20062
Closed
#20058 turn on tomcat's security header options #20061
Merged
dsilvam pushed a commit that referenced this issue Mar 9, 2021
@wezell
#20058 turn on security options (#20061)
ff7c99f
@victoralfaro-dotcms victoralfaro-dotcms self-assigned this Mar 9, 2021
@victoralfaro-dotcms
Copy link
Contributor

Security headers are found:

$ curl --head https://local.dotcms.site:8443               ✔  10285  13:14:33 
HTTP/1.1 404
Strict-Transport-Security: max-age=3600;includeSubDomains
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Set-Cookie: JSESSIONID=22FA6A4D253724B66FB2C85B7102E11F; Path=/; Secure; HttpOnly; SameSite=Strict
vary: accept-encoding
Content-Type: text/html;charset=ISO-8859-1
Transfer-Encoding: chunked
Date: Tue, 09 Mar 2021 19:14:37 GMT

@victoralfaro-dotcms victoralfaro-dotcms removed their assignment Mar 9, 2021
@bryanboza
Copy link
Member

Fixed, tested on release 21.03 // Postgres // FF

dsilvam pushed a commit that referenced this issue Mar 16, 2021
@wezell
Issue 20098 send page mimetype if is page (#20099)
c60151b 
* #20058 turn on security options

* #20098 this sets the mime type to a page if the url is a page in dotCMS
@wezell wezell closed this as completed Mar 17, 2021
dsilvam added a commit that referenced this issue Mar 18, 2021
@dsilvam @nollymar
@wezell @fmontes @freddyDOTCMS @jdotcms @erickgonzalez
Merge release into master (#20113)
adb9db0 
* Fixing Task201014UpdateColumnsValueInIdentifierTableTest (#20026)

* Fixing test

* run-all

* Refactoring validations after code review suggestion

* run-all

Co-authored-by: Nollymar Longa <>

* Updating core-web version

* new core-web artifact

* 19992 rebuild es client on illegal state exception (#20014)

* #1992 Rebuild REST High Level Client if Reactor stopped

* #1992 remove not-needed code

* #1992 remove not-needed code

* #19992 Default impl for rebuildClient. Move rebuilding to seperate catch

* #19992 Rebuild client on IllegalState Reactor wrapped and unwrapped

* #19992 null-check

Co-authored-by: Daniel Silva <daniel.silva@dotcms.com>

* Update coreWebReleaseVersion

* Issue 20038 samesite strict (#20051)

* #20038 redirect using html form

* #20038 html based redirect

* Updating starter version to 20210305

* new core-web version

* Update coreWebReleaseVersion

* #19772 Avoid Login when a logout request is sent (#20037)

* #19772 Avoid Login when a logout request is sent

* #19772 Add test to the MainSuite

* #20058 turn on security options (#20061)

* Upgrade saml to 21.03 (#20070)

* #20063 sending cookies httponly and secure (#20065)

* Issue 19934 adding folder to root throws a jsp error (#20073)

* If folder is newly not show the permission tab

* #19934 Format

* Fix tests oracle (#20054)

* Fix ContentletWebAPIImplIntegrationTest

* replace null with empty string

* Remove extra folder extension

* run-all

* Upgrade saml 21.03 (#20076)

* Upgrade saml to 21.03

* upgrade saml to 21.03.1

* Change order of Mapping test. Decrease time in other tests. Move IT t… (#20072)

* Change order of Mapping test. Decrease time in other tests. Move IT to Unit

* Attempt removing getting-started-layout by id and name

* Missing changes

* #19683 Create endpoint to get the create content url

* Fixing test (#20086)

* Fixing test

* Fixing test

* Update .gitmodules

* Find getting started layout by name instead of id (#20092)

* Changing the logic to get the Getting Starter portlet layout. Now, it searches by name instead of id

* Updating starter version

Co-authored-by: Nollymar Longa <>

* Updte image api url in gs portlet

* Issue 20098 send page mimetype if is page (#20099)

* #20058 turn on security options

* #20098 this sets the mime type to a page if the url is a page in dotCMS

* Remove same height container fix

* Update .gitmodules

* Update gradle.properties

* Update gradle.properties

Co-authored-by: Nollymar Longa <nollymar.longa@dotcms.com>
Co-authored-by: Nollymar Longa <>
Co-authored-by: Will Ezell <will@dotcms.com>
Co-authored-by: Freddy Montes <freddymontes@gmail.com>
Co-authored-by: dotcmsbuild <dotcmsbuild@dotcms.com>
Co-authored-by: Freddy Rodriguez <freddy0309@gmail.com>
Co-authored-by: Jonathan <jonathan.sanchez@dotcms.com>
Co-authored-by: erickgonzalez <erick.gonzalez@dotcms.com>
jcastro-dotcms added a commit that referenced this issue Jul 12, 2021
@jcastro-dotcms
#20058 : Adding code changes to dotCMS 20.10.4 patch release.
ce3ed07
@jcastro-dotcms jcastro-dotcms added LTS : Next Ticket that will be added to LTS Severity : Support Requested labels Jul 15, 2021
jcastro-dotcms added a commit that referenced this issue Aug 22, 2021
@jcastro-dotcms
#20058 : Back-porting code changes to dotCMS 5.3.8.6 LTS release.
59b79ab
@jcastro-dotcms jcastro-dotcms added LTS: Released Release : 5.3.8.6 Included in LTS patch release 5.3.8.6 and removed LTS : Next Ticket that will be added to LTS labels Aug 22, 2021
@rweiner rweiner added the Changelog: Skip Not customer facing and never seen by customers issues label Oct 1, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Changelog: Skip Not customer facing and never seen by customers issues Merged OKR : Security & Privacy Owned by Mehdi QA : Approved QA : Passed Internal Release : 5.3.8.6 Included in LTS patch release 5.3.8.6 Release : 21.03 Type : Enhancement
Projects
None yet
Milestone
No milestone
7 participants
@wezell @dsilvam @bryanboza @rweiner @erickgonzalez @jcastro-dotcms @victoralfaro-dotcms