I'm trying to configure the header x-frame-options in tomcat8
web.xml:
<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<async-supported>true</async-supported>
<init-param>
<param-name>antiClickJackingOption</param-name>
<param-value>SAMEORIGIN</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>httpHeaderSecurity</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
Testing it with tomcat works as expected:
curl -I http://ip_of_tomcat:port_of_tomcat/myapp/
HTTP/1.1 200 OK
Strict-Transport-Security: max-age=31536000;includeSubDomains
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Set-Cookie: JSESSIONID=5B3F02AE2484BB1A66B1875DCC4337BD.myapp1; Path=/myapp; Secure; HttpOnly
Content-Type: text/html;charset=ISO-8859-1
Transfer-Encoding: chunked
Date: Thu, 25 Jun 2020 12:36:14 GMT
Server:
Testing it with tomcat behind an apache reverse proxy with mod_proxy_http does not work as expected
web.xml: the same as above
server.xml
<Connector port="port_of_tomcat" protocol="HTTP/1.1" server=" "
connectionTimeout="20000"
ProxyPort="443"
ProxyName="xframe.example.coms"
scheme="https"
secure="true"
redirectPort="port_of_tomcat_plus_one" />
apache.conf
<VirtualHost ip_of_tomcat:80>
ServerName
xframe.example.comProxyPass / http://ip_of_tomcat:port_of_tomcat/
ProxyPassReverse / http://ip_of_tomcat:port_of_tomcat/
</VirtualHost>
curl -I
https://xframe.example.com/myapp/HTTP/1.1 200 OK
Date: Thu, 25 Jun 2020 13:20:48 GMT
Server:
Strict-Transport-Security: max-age=31536000;includeSubDomains
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Content-Type: text/html;charset=ISO-8859-1
Transfer-Encoding: chunked
Set-Cookie: JSESSIONID=7F94B0FFC3905A6CA4B4C192E0559AF4.myapp1; Path=/myapp; Secure; HttpOnly
Vary: Accept-Encoding,User-Agent
The x-frame-options header is missing. The only workaround I have found is by enabling mod_headers in apache.conf, i.e:
<IfModule headers_module>
<IfVersion >= 2.4.7 >
Header always setifempty X-Frame-Options SAMEORIGIN
</IfVersion>
<IfVersion < 2.4.7 >
Header always merge X-Frame-Options SAMEORIGIN
</IfVersion>
</IfModule>
And it finally works:
curl -I
https://xframe.example.com/myapp/HTTP/1.1 200 OK
Date: Thu, 25 Jun 2020 13:24:48 GMT
Server:
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=31536000;includeSubDomains
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Content-Type: text/html;charset=ISO-8859-1
Transfer-Encoding: chunked
Set-Cookie: JSESSIONID=990791DCF707F972D7C2CF09D47F4BE4.myapp1; Path=/myapp; Secure; HttpOnly
Vary: Accept-Encoding,User-Agent
Is it possible to use x-frame-options with mod_proxy without also having to use mod_headers?
I would like to configure only tomcat and not apache.
--
