...
Configuración sin cabeceras de seguridad | Configuración con cabeceras de seguridad |
Image Removed | Image Removed |
---|
...
Revisión de cabeceras de Seguridad y Certificado
...
Image Added | Image Added |
---|
Riesgos de seguridad
...
Posteriormente añadir la siguiente configuración al fichero→ /etc/apache2/conf-enabled/security.conffichero:
/etc/apache2/conf-enabled/security.conf
...
Se debe añadir la siguiente configuración al fichero → fichero:
etc/tomcat/web.xmltomcat/conf/web.xml
Code Block |
---|
<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<async-supported>true</async-supported>
<init-param>
<param-name>antiClickJackingOption</param-name>
<param-value>DENY</param-value>
</init-param>
<init-param>
<param-name>hstsEnabled</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>hstsIncludeSubDomains</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>antiClickJackingEnabled</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>antiClickJackingOption</param-name>
<param-value>DENY</param-value>
</init-param>
<init-param>
<param-name>blockContentTypeSniffingEnabled</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>xssProtectionEnabled</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>httpHeaderSecurity</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
<filter>
<filter-name>CorsFilter</filter-name>
<filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
<init-param>
<param-name>cors.allowed.origins</param-name>
<!-- Añadir las fuentes de origenes permitidos -->
<param-value>https://www.apache.org</param-value>
</init-param>
<init-param>
<param-name>cors.allowed.methods</param-name>
<!-- Solo declarar los métodos utilizados-->
<param-value>GET,POST,HEAD,OPTIONS,PUT</param-value>
</init-param>
<init-param>
<param-name>cors.allowed.headers</param-name>
<param-value>Content-Type,X-Requested-With,accept,Origin,Access-Control-Request-Method,Access-Control-Request-Headers</param-value>
</init-param>
<init-param>
<param-name>cors.exposed.headers</param-name>
<param-value>Access-Control-Allow-Origin,Access-Control-Allow-Credentials</param-value>
</init-param>
<init-param>
<param-name>cors.support.credentials</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>cors.preflight.maxage</param-name>
<param-value>10</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CorsFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping> |
|
...
Se debe añadir la siguiente configuración al fichero → /etc/nginx/sites-enabled/defaultfichero:
/etc/nginx/sites-enabled/default
...