[
https://issues.apache.org/jira/browse/OFBIZ-6766?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15058440#comment-15058440 ]
Jacques Le Roux commented on OFBIZ-6766:
----------------------------------------
I had a try at using HttpHeaderSecurityFilter and I must say I'm a bit dissapointed. Because like it's said at
https://tomcat.apache.org/tomcat-7.0-doc/security-howto.html#web.xml you can't have both your own way and HttpHeaderSecurityFilter: <<HttpHeaderSecurityFilter can be used to add headers to responses to improve security. If clients access Tomcat directly, then you probably want to enable this filter and all the headers it sets unless your application is already setting them.>>.
Since, in RequestHandler class, I already covered all the points HttpHeaderSecurityFilter does (strict-transport-security, x-frame-options and x-content-type-options) there is not much interest in using it. It could even be counterproductive with duplicate or conflictings values. Moreover it does not handle X-XSS-Protection which is a breeze to set in RequestHandler. Finally doing so in RequestHandler has the advantage of not depending on Tomcat and cover not only OOTB web apps but any possible new ones.
I had also a go with RestCsrfPreventionFilter, same dissapointement. It's hard to set as explained at
https://www.mail-archive.com/users@.../msg88601.html. I gave up at this stage.
Anyway all in all I prefer to handle security point by point rather to have a false sense of security relying on filters or what-not.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
Locked
