Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Vulnerability in Tomcat config under Confluence - QID 11827

Lloyd Chandler
Lloyd Chandler February 6, 2018 
Our Confluence server was flagged by Qualys scan for the 11827 vulnerability. 
The following headers are not present:

Header set X-Content-Type-Options: "nosniff"
Header set X-XSS-Protection: "1; mode=block"
Header set X-Frame-Options: "sameorigin"

As we are using the default Confluence installation which is using Apache Tomcat (built in or something),
how do I add these headers to the default config?
Answer
Watch
Like Be the first to like this
3321 views

2 answers

0 votes
Timothy
Timothy
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
February 7, 2018

While the other comment by @Edwin Kyalangalilwais good, you should also consider "masking" this vulnerability by fronting your Tomcat with a proxy server in front of it. For example, Apache:

There is no easy way to upgrade Tomcat that run's Jira and Confluence. So, the best workaround is to mask whatever's running in the background with a good proxy and webserver setup.

Reply
0 votes
Edwin Kyalangalilwa
Edwin Kyalangalilwa
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
February 6, 2018

Hi Lloyd,

This link will be helpful. Refers to web.xml

https://geekflare.com/tomcat-http-security-header/

View More Comments
Lloyd Chandler
Lloyd Chandler February 6, 2018

thanks - looked at that reference and another - I made the correct changes to the web.xml file located under ..\confluence\conf - however, after making the changes, it's still not working - the headers are not appearing..

 

I updated web.xml to contain the following - uncommented:

<filter>
        <filter-name>httpHeaderSecurity</filter-name>
        <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
        <async-supported>true</async-supported>
        <init-param>
          <param-name>antiClickJackingEnabled</param-name>
          <param-value>true</param-value>
        </init-param>
        <init-param>
          <param-name>antiClickJackingOption</param-name>
          <param-value>SAMEORIGIN</param-value>
        </init-param>
    </filter>
  <filter-mapping> 
    <filter-name>httpHeaderSecurity</filter-name> 
    <url-pattern>/*</url-pattern>
</filter-mapping>
Like
Edwin Kyalangalilwa
Edwin Kyalangalilwa
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
February 6, 2018

Did you try restarting after the changes?

Like
Lloyd Chandler
Lloyd Chandler February 6, 2018

yep - if that means restarting the Confluence service..reboot, no..

Like
Lloyd Chandler
Lloyd Chandler February 6, 2018

I've also found that there are 3 web.xml files on the system - not sure why and which to change..

Like
Edwin Kyalangalilwa
Edwin Kyalangalilwa
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
February 6, 2018

That's the correct location. A reboot is required for changes to take effect.

Like
Lloyd Chandler
Lloyd Chandler February 7, 2018

Reboot doesn't change anything - still doesn't work.  I don't understand. I've made those exact line changes in web.xml.  Here's the locations I have found this file:

 

1. D:\confluence\confluence\conf

2. D:\confluence\confluence\confluence\WEB-INF

3. D:\confluence\confluence\synchrony-proxy\WEB-INF

 

 

Made the change on number 1.  Number 2 and 3 files look different than web.xml in #1 location, so not sure what to do here.

Like
Timothy
Timothy
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
February 7, 2018

Item 2 is where you want to make the change. And only in Item 2.

2. D:\confluence\confluence\confluence\WEB-INF

Like
Lloyd Chandler
Lloyd Chandler February 7, 2018

ok - so the one in 2 is strange as it doesn't have these entries even commented out, like the web.xml in #1 does - so do I just add them anywhere?  I've seen some references that it must be in certain areas (before or after other entries).  I've also seen where filter mapping entry should be before the filter.

Like
Timothy
Timothy
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
February 7, 2018

Item 2 is where you want to make the change. And only in Item 2.

I may stand corrected on this.

I've seen some references that it must be in certain areas (before or after other entries).  I've also seen where filter mapping entry should be before the filter.

There are orders in the filters:

Like
Reply

Suggest an answer

Log in or Sign up to answer
Confluence
Confluence
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Notice at Collection Terms Security