top button
Flag Notify
    Connect to us
      Facebook Login
      Site Registration Why to Join

Facebook Login
Site Registration

Tomcat: How to enable X-XSS-Protection?

+2 votes

I am looking for a way to add the X-XSS-Protection header (*) to the response from Tomcat.

I am currently using the Tomcat's HttpHeaderSecurityFilter that allows to setup other useful security related headers but it doesn't seem to support the X-XSS-Protection header (**).

Do you think that HttpHeaderSecurityFilter should be enhanced to support this (I could provide a patch for this)? Is there another way?

posted Oct 8, 2015 by anonymous

Looking for an answer?  Promote on:
Facebook Share Button Twitter Share Button Google+ Share Button LinkedIn Share Button Multiple Social Share Button

Similar Questions
+2 votes

I got a Problem with Tomcat deployment. I am using TC 7.0.42, OS: Win2k8r2, J 1.7.0._45.

We used to deploy unpacked webapps (dirs) on a Tomcat 5.0.26 outside the Webapps-dir. We used the manager (web-IF) to deploy these apps, giving the context name and the local directory. The tomcat ran the app from this location. It creates a .xml in it's config dir.

Now in TC7, the tomcat COPIES the APP from the given location to the default Webapps directory. But we want it to run from where it is, not a copy. One way to archieve this is to manually create a .xml file in the conf/server/localhost dir. But our deployment process needs it to be done via web interface. So, is there any possibility to configure tomcat 7 to behave like tomcat 5 when deploying local webapp directories from outside the webapps dir? I tried autoDeploy and unpackWars to false, but it didn't help. :(

0 votes

My project is planning to upgrade to Tomcat 7.0.57 that has the fix for POODLE vulnerability and have the SSL protocol disable by default. We were up till now using the manual configuration change in server.xml in
order to disable use of SSL.

My questions is that after upgrading to Tomcat 7.0.57, is there any similar configuration change available, through which we can re enable SSL protocols again.

Please let me know if my question is not clear.

0 votes

I have been searching for an answer to how to set this up. I find a lot of posts on session persistence but none seem to describe how to set it up. Is there a simple explanation out there that tells me how I go about setting up session persistence (with Apache, I would just set up memcached on the db server and configure the memcache module on each Apache instance to point to the memcached and it works). I don't need opcode persistence. I just want the tomcats to either a) direct all session traffic to a single node or b) make the two tomcats aware of all sessions. Can someone point me in the right direction? I am not a java coder, but if code changes need to be made, I can work through it.

0 votes

We are using Tomcat 6.x version and we need to implement the following headers in our environment.

1) Strict-Transport-Security
2) Content-Security-Policy
3) Public-Key-Pins
4) X-Frame-Options
5) X-XSS-Protection
6) X-Content-Type-Options
7) X-Robots-Tag

When I checked the Tomcat 6 version webpage (, I don't see any filters that implement any these headers. Some of them are available in Tomcat 7 version webpage (, but we cannot upgrade to Tomcat 7.x version due to some constraints.

Can you kindly guide me how to implement these headers in Tomcat 6.x version. All your comments on this topic are welcome.

0 votes

We are using tomcat 7.X for our project. So far we deploy only one application in tomcat.

Now we are planning to deploy one more application with existing one.

There is requirement that failure of deployment of new application should not affect existing application deployment and tomcat startup. As per my understanding, If any application deployment fails, Tomcat startup will fail.

Please let us know if there is any way to start the tomcat in case of failure of one application deployment also.

Contact Us
+91 9880187415
#280, 3rd floor, 5th Main
6th Sector, HSR Layout
Karnataka INDIA.