Tomcat filter HTTP Header Security is unavailable in SOI v4.2

Document ID : KB000124329
Last Modified Date : 10/01/2019
Show Technical Document Details
Introduction:
Vulnerability detected
Background:
SOI UI v4.2 website is vulnerable for the following

- Web application vulnerable to Clickjacking
- Lack of Strict-Transport-Security Header

 
Environment:
SOI 4.2
Instructions:
updated the SOI\tomcat\conf\web.xml as follows:

web.xml file to the case that we tried in our setup.

(filter)
(filter-name)httpHeaderSecurity(/filter-name)
(filter-class)org.apache.catalina.filters.HttpHeaderSecurityFilter(/filter-class)
(init-param)
(param-name)hstsEnabled(/param-name)
(param-value)true(/param-value)
(/init-param)
(init-param)
(param-name)hstsIncludeSubDomains(/param-name)
(param-value)true(/param-value)
(/init-param)
(init-param)
(param-name)hstsMaxAgeSeconds(/param-name)
(param-value)31536000(/param-value)
(/init-param)
(init-param)
(param-name)antiClickJackingEnabled(/param-name)
(param-value)true(/param-value)
(/init-param)
(init-param)
(param-name)antiClickJackingOption(/param-name)
(param-value)SAMEORIGIN(/param-value)
(/init-param)
(async-supported)true(/async-supported)
(/filter)

(filter-mapping)
(filter-name)httpHeaderSecurity(/filter-name)
(url-pattern)/*(/url-pattern)
(dispatcher)REQUEST(/dispatcher)
(/filter-mapping)
 
Additional Information:
How to determine the tomcat version

"C:\Program Files (x86)\CA\SOI\jre-64\bin\java.exe" -cp "C:\Program Files (x86)\CA\SOI\tomcat\lib\catalina.jar" org.apache.catalina.util.ServerInfo