1. Home
  2. Installation and Set-up
  3. Tomcat Clickjacking and XSS Protection
  1. Home
  2. Troubleshooting
  3. Tomcat Clickjacking and XSS Protection

Tomcat Clickjacking and XSS Protection

Problem Statement

Under its default configuration, the Diplomat MFT Tomcat Webserver does not provide any specific HTTP header mitigation for Clickjacking or Cross-Site Scripting (XSS) attacks. Security scans of the Diplomat MFT Tomcat Webserver may report moderate risk threats to security as a result.

Mitigating Factors

Diplomat MFT server does not provide a web interface for administration nor monitoring of the server.  We use a ‘thick client’ application (the Diplomat Client) that connects to the Diplomat Server over HTTP or HTTPS and a binary communications protocol.  You cannot connect to Diplomat MFT with a web browser and navigate web pages, in other words.  Yes, the installation has a default Tomcat web page if you visit the root (“https://localhost:8080/”), but that is a static HTML page and offers no interaction with Diplomat MFT.  As a result, this security issue does not really affect Diplomat MFT.

Adding Further Protection

We can appreciate that you want a clean security report, so here are the configuration steps you can take to add Tomcat Clickjacking and XSS protection.

   You will need to open the following file in a text editor, such as Notepad or Notepad++:  c:\program files\coviant software\diplomat-j\tomcatWebserver\conf\web.xml

   Because this file is under the “Program Files” area, your text editor will need to be run as Administrator so that you can save changes.

   In this file, search for the term “httpHeaderSecurity”.  You will find it in two areas that are commented out.  In XML, comments are anything between the “<!--” and “-->” symbols.

   The first looks like this:

<!--
     <filter>
         <filter-name>httpHeaderSecurity</filter-name>
         <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
         <async-supported>true</async-supported>
     </filter> 

–>

You will need to remove the leading “<!--” and trailing “-->“, so it looks like this:

    <filter>
         <filter-name>httpHeaderSecurity</filter-name>
         <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
         <async-supported>true</async-supported>
     </filter> 

Then, later in the file you will find another reference that looks like this:

<!--
     <filter-mapping>
         <filter-name>httpHeaderSecurity</filter-name>
         <url-pattern>/*</url-pattern>
         <dispatcher>REQUEST</dispatcher>
     </filter-mapping>
 --> 

Again, remove the comment markers to make it look like this:

    <filter-mapping>
         <filter-name>httpHeaderSecurity</filter-name>
         <url-pattern>/*</url-pattern>
         <dispatcher>REQUEST</dispatcher>
     </filter-mapping> 

Save this file and exit your editor.  Now you can restart the Diplomat MFT 64 service and all HTTPS responses will include the following security headers:

Strict-Transport-Security: max-age=0
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block 
Updated on April 15, 2021

Was this article helpful?

Related Articles