How to add X-Content-Type-Options to tomcat configuration

Question

My client want me to fix Web App vulnerability of My Web App below is message about vulnerability of My Web App

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'

This check is specific to Internet Explorer 8 and Google Chrome. Ensure each page sets a >Content-Type header and the X-CONTENT-TYPE-OPTIONS if the Content-Type header is unknown

Although I already found some solution to this issue , I am looking for solution from tomcat configuration. Is it possible to make changes to tomcat configuration to accomplish this?

please give me any idea.

Answer 1

If you're using Tomcat 8, it's really easy - add these two sections to your web.xml:

<filter>
    <filter-name>HeaderSecurityFilter</filter-name>
    <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
</filter>

<filter-mapping>
    <filter-name>HeaderSecurityFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

The server response now has 'nosniff' and X-Frame-Options: DENY by default

More detail: Tomcat 8 Filter Configuration

Answer 2

Sample filter class code.

public class SampleResponseFilter implements Filter  {

  @Override
  public void destroy() { }

  @Override
  public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
      throws IOException, ServletException
  {
    HttpServletRequest req = (HttpServletRequest) request;
    HttpServletResponse res = (HttpServletResponse) response;
    // Protection against Type 1 Reflected XSS attacks
    res.addHeader("X-XSS-Protection", "1; mode=block");
    // Disabling browsers to perform risky mime sniffing
    res.addHeader("X-Content-Type-Options", "nosniff");
    chain.doFilter(req,res);
  }

  @Override
  public void init(FilterConfig filterConfig) throws ServletException { }
}