Alexis Kestler
Hey there! Securing web apps is more crucial than ever before to guard against clever attacks. This step-by-step guide will teach you how to leverage built-in filters in Apache Tomcat 8 to inject protective HTTP response headers like a pro.
Why HTTP Security Headers Matter
Before we dive into the how-to, let me convince you why locking down headers is so vital:
As per OWASP, injection attacks like cross-site scripting (XXS) and broken authentication are still amongst the top application risks.
Here are some stats:
-
70% of all web apps tested by Positive Technologies in 2021 had critical vulnerabilities.
-
Pandemic-induced digital push led to a 12% rise in web attacks according to F5 Labs.
Enabling security headers is an easy win to mitigate common injection threats and strengthen overall defense.
"Just by implementing simple HTTP headers, organizations can dramatically increase the security posture of both new and legacy applications." – Meera Subbarao, Synopsys
Supported Security Headers
Apache Tomcat has built-in filters since version 8.0 to inject these headers:
- X-Frame-Options – Saves from clickjacking by restricting iframe embedding
- X-XSS-Protection – Prevents reflected XSS attacks
- X-Content-Type-Options – Stops content sniffing vulnerabilities
- HSTS – Enforces HTTPS usage
Below you can see how these thwart various threats:
| Header | Attacks Mitigated |
| X-Frame-Options | Clickjacking, UI Redressing |
| X-XSS-Protection | Reflected Cross-site Scripting |
| X-Content-Type-Options | MIME Sniffing, Content Injection |
| HSTS | TLS Stripping, SSL Spoofing |
Given the rising threats, having these extra defenses in place is essential.
Step-by-Step Guide to Set Headers in Tomcat
Let me walk you through the simple steps to enable header injection:
First, login to your Tomcat server and navigate to the conf directory. Look for web.xml file.
Uncomment the HttpHeaderSecurityFilter filter config by removing tags:
<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<async-supported>true</async-supported>
</filter> Next, add a mapping to apply filter to all app URLs:
<filter-mapping>
<filter-name>httpHeaderSecurity</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>Save changes and restart Tomcat service. Headers will now be injected automatically!
To test, use online tools like GeekFlare Header Check or browser Developer Tools Network tab:
Customizing Security Headers
The filter supports fine-grained control over each header via initialization parameters, like this:
<init-param>
<param-name>hstsMaxAgeSeconds</param-name>
<param-value>31536000</param-value>
</init-param>- hstsMaxAgeSeconds – Sets max age in HSTS header
- antiClickJackingOption – Values like DENY, SAMEORIGIN
See Tomcat docs for full details.
A Word About Best Practices
As your security wingman, lemme share good ops habits:
- Test in lower environments before production
- Review logs after applying changes
- Take backups of config files
- Combine headers at web server & app server
For complete app security guide, refer the OWASP Cheatsheets.
So that concludes our secure headers tour! Let me know if any part needs more explanation. Stay safe out there!
