Content security policy header in tomcat9 - security

i want to add content security policy header in tomcat.I am able to add x-frame header by changing webxml file.but i do not if i can add content security policy header in the same way.
please help on this

Using the web.xml file you can publish some security headers, for example X-Frame-Options, X-XSS-Protection, but not the Content-Security-Policy one.
Because web.xml config is based on built-in Tomcat filters which does not support CSP header yet. Therefore, you need to create custom servlet-filter, which can then be used in the web.xml file.
You can found some nitty-gritty about custom filter creation in the grails-x-frame-options-plugin, based on XFO header.
OWASP also has a detailed example of a CSP filter.

Related

Should Content-Security-Policy header be applied to all resources?

Is it necessary to apply the Content-Security-Policy Header to all resources on your domain (images/CSS/JavaScript) or just web pages?
For example, I noticed that https://content-security-policy.com/images/csp-book-cover-sm.png has a CSP header.
It is only necessary to apply it to web pages that are rendered in a browser, as CSP controls the allowed sources for content, framing etc of such pages. Typically you will only need to set it on non-redirect responses with content type as "text/html". As CSP can be set in a meta tag, another way to look at it is that it only makes sense on responses that could include a meta tag.
As it is often simpler or only possible to just add a response header to all responses, CSPs are often applied to all content types and codes even though they are not strictly needed. Additionally it is recommended to add a CSP with a strict frame-ancestors to REST APIs to prevent drag-and-drop style clickjacking attacks, see https://cheatsheetseries.owasp.org/cheatsheets/REST_Security_Cheat_Sheet.html#security-headers.

How do I add an Onion-Location header with Caddy2?

How do I add an Onion-Location header to all my pages in Caddy2 the value of which is $string+request_path
Onion-Location is an easy way to advertise an onion site to the users. You can either configure a web server to show an Onion-Location Header or add an HTML meta attribute in the website.
— Tor Project
The example Nginx configuration shows:
add_header Onion-Location http://<your-onion-address>.onion$request_uri;
I think they meant path, rather than full URI.
Like this:
header Onion-Location http://whatevercrypticname.onion{path}
If you have the $TOR_HOSTNAME saved as an environment variable then use
header Onion-Location http://{$TOR_HOSTNAME}{path}

What is happening when I have two CSP (Content Security Policies) policies - header & meta?

Question is regarding having CSP served twice:
What's the behavior if there is one policy served through the Content-Security-Policy HTTP response header and also another policy specified with the <meta /> element?
Will those two be merged somehow? Or else which one has priority? (I cannot find clear info on this in the spec).
Specific use case might be serving Report-to through the HTTP response header and putting all other restrictions in the <meta /> element — because some of those are generated by webpack - and if I shouldn't be worried about <meta /> shallowed by the HTTP response-header policy.
If you have CSP directives specified both in a Content-Security-Policy HTTP header and in a meta element, the browser uses the most-restrictive CSP directives, wherever specified.
See the details on multiple polices at https://w3c.github.io/webappsec-csp/#multiple-policies and details on using the meta element at https://w3c.github.io/webappsec-csp/#meta-element:
A policy specified via a meta element will be enforced along
with any other policies active for the protected resource, regardless
of where they’re specified. The general impact of enforcing multiple
policies is described in §8.1 The effect of multiple policies.
8.1. The effect of multiple policies
The impact is that adding additional policies to the list of policies
to enforce can only further restrict the capabilities of the protected resource.

Adding custom response header in "HTTP Response Headers" module within IIS7 Manager ok to use if cannot access web.config file?

I am attempting to insert a custom response header to comply with a requirement to enable HSTS as the current layout is at risk against our cyber security audit.
I am referencing this previous StackOverflow thread as the "best answers" suggests to set the custom response header using the IIS7 Manager interface, versus the second "best answer" to be going into the web.config file and copy and pasting code into it.
I tried to follow directions to access using this link, but I did not get far because I do not have EFTAdHoc subfolder under Default Web Site on step 3.
I am curious if it is still ok if I set the custom response header this way:
I am curious if it is still ok if I set the custom response header this way:
This dialogue is adding headers for all requests. But in your case, you need slightly different. You need to add HSTS only for HTTPS requests. Answer in this thread which you referred before is correct because it is setting header only if it is HTTPS request.
You can do that with IIS Manager.
1) Go to URL Rewrite
2) Click Add Rule -> Outbound rules -> Blank rule
3) Fill fields like that:

Can Content-Security-Policy and Content-Security-Policy-Report-Only headers coexist without interfering with each other

I am working on addition of Content-Security-Policy-Report-Only header to my company's website. While I was researching on it, I found that a few of the pages already have Content-Security-Policy header set.
I investigated further and found that the directives are not required. Also, default directive used for those pages is 'self' whereas what I am planning to set for report-only is 'https:'
I am not an expert in this area and want to make sure that both header values don't interfere. Hence looking for guidance
If I set report-only for the pages that already has CSP header, is it going to interfere with existing headers? Is the behavior browser dependent?
Any help/pointers will be helpful in deciding.
Thanks!
Content-Security-Policy and Content-Security-Policy-Report-Only have no effect on each other and are entirely independent. Setting both is a common practice when tightening policies. I wouldn't doubt that there has been a bug around this behavior at some point, but the spec is clear.
From Section 5 of the CSP2 Spec
A server MAY cause user agents to monitor one policy while enforcing another policy by returning both Content-Security-Policy and Content-Security-Policy-Report-Only header fields. For example, if a server operator may wish to enforce one policy but experiment with a stricter policy, she can monitor the stricter policy while enforcing the original policy. Once the server operator is satisfied that the stricter policy does not break the web application, the server operator can start enforcing the stricter policy.
Based on the link here, server must not send both headers in the same request.
Here is the original text: A server MUST NOT provide Content-Security-Policy header field(s) and Content-Security-Policy-Report-Only header field(s) in the same HTTP response. If a client received both header fields in a response, it MUST discard all Content-Security-Policy-Report-Only header fields and MUST enforce the Content-Security-Policy header field.

Resources