CODEWITHSUNDEEP
http-headerscontent-security-policywebsphere-libertywebsphere-portal
Mainak1976
Mainak1976

Reputation: 43

Security headers setup on WebSphere 9.0.5.13

I have to get all these Headers (mentioned below) green when checked the URL "https://.com" on securityheaders.com. Headers: "Strict-Transport-Security" "Content-Security-Policy" "X-Frame-Options" "X-Content-Type-Options" The Web Server running here is IBM WebSphere 9.0.5.13 here.

I know it need to be added in some Web.xml file with a context param but there are so manu web.xml files not sure which one, OR we also tried from the Server Web Container Settings by adding this which didnt work: com.ibm.ws.webcontainer.ADD_STS_HEADER_WEBAPP....value=max-age=31536000;includeSubDomains;preload com.ibm.ws.webcontainer.addStrictTransportSecurityHeader....value=max-age=31536000;includeSubDomains;preload But neither did work. I need to do this for all the Headers mentioned above.

We know how to do this for Tomcat, but having difficulty with WebSphere guys. If anybody knows how to do this please help me. Thanking you guys in advance

Regards, Mainak

Upvotes: 0

Views: 2923

Answers (3)

MST
MST

Reputation: 701

To setup STS header you can add custom property:

Servers > Server Types > WebSphere application servers> your_server_name > Web container > Custom properties > New...

Name: com.ibm.ws.webcontainer.addStrictTransportSecurityHeader
Value: max-age=31536000; includeSubDomains

Upvotes: 0

Zero Code
Zero Code

Reputation: 19

you can do as said in previous comment add Servlet filter API's and add to the response HTTP header the below configuration inside the doFilter method

HttpServletResponse servletResponse = (HttpServletResponse) response; servletResponse.setHeader("Content-Security-Policy", "default-src 'self' blob: https:; font-src 'self' data: blob: https:; img-src 'self' data: blob: https:; script-src 'self' 'unsafe-inline' 'unsafe-eval' https:; worker-src 'self' blob: https:; style-src 'self' 'unsafe-inline' https:; frame-ancestors 'self'; frame-src");

reference: https://www.ibm.com/support/pages/how-configure-content-security-policy-header-ibm-content-navigator

Upvotes: 0

covener
covener

Reputation: 17872

You need to use the Servlet API's to set custom response headers, either in your application or in a filter. If you can't do that, you can often do similar if you have a proxy server in front of your application.

WebSphere Liberty has basic support for adding custom response headers via server.xml, but it's not available in the traditional websphere application server.

HSTS is unique as there is support for it at various levels in configuration.

Upvotes: 0

Related Questions