Skip to main content

Tomcat Configuration to include HTTP security headers

For additional protection, you can edit $MM_HOME/tomcat/conf/web.xml

By default, the application sets the following to the recommended values:
* Content-Security-Policy
* X-Content-Type-Options
* X-XSS-Protection

The X-Frame-Options is not set by default, it can be done manually by adding the following fragment:
<init-param>
   <param-name>X-Frame-Options</param-name>
   <param-value>sameorigin</param-value>
</init-param>

The HSTS headers are not necessary as when the application is configured for HTTPS then HTTP is not allowed at all, and do not provide automatic redirection. However, you may want/need to add it, you can do so manually by adding the following fragment:
<init-param>
   <param-name>Strict-Transport-Security</param-name>
   <param-value>max-age=31536000; includeSubDomains</param-value>
</init-param>

Did this page help you?

If you find any issues with this page or its content – a typo, a missing step, or a technical error – please let us know!