WebSphere Application Server & Liberty

I've been searching for a way to update security headers for a ear/war application hosted on WAS 7.  I don't have IBM Http Server available to me.  I was wondering if the only way to set the Security Headers is through the ear/war application.  Any assistance or directing or resource would be appreciated.

------------------------------
Cesar Garcia
------------------------------

Hello Cesar,

Are you talking about security header like these? I usually confgure this type of security headers at Web server/Proxy level.

- Strict-Transport-Security
- Content-Security-Policy
- X-XSS-Protection
- X-Frame-Options "SAMEORIGIN";
- X-Content-Type-Options nosniff;
- Referrer-Policy "strict-origin";
- Permissions-Policy

Regards,

------------------------------
Gabriel Aberasturi
Versia tecnologias emergentes
------------------------------

Original Message:
Sent: Fri May 20, 2022 03:51 PM
From: Cesar Garcia
Subject: Setting Security Headers on WAS 7

I've been searching for a way to update security headers for a ear/war application hosted on WAS 7.  I don't have IBM Http Server available to me.  I was wondering if the only way to set the Security Headers is through the ear/war application.  Any assistance or directing or resource would be appreciated.

------------------------------
Cesar Garcia
------------------------------

Hello Gabriel,

Yes, these are the headers I'm looking at.  I didn't see anywhere on WAS 7 that you could set these.  I thought you had to install the IBM Http Server to be able to set these.  Can you confirm if this is possible on WAS 7 alone.  

Cesar

------------------------------
Cesar Garcia
------------------------------

Original Message:
Sent: Mon May 23, 2022 02:33 AM
From: Gabriel Aberasturi
Subject: Setting Security Headers on WAS 7

Hello Cesar,

Are you talking about security header like these? I usually confgure this type of security headers at Web server/Proxy level.

- Strict-Transport-Security
- Content-Security-Policy
- X-XSS-Protection
- X-Frame-Options "SAMEORIGIN";
- X-Content-Type-Options nosniff;
- Referrer-Policy "strict-origin";
- Permissions-Policy

Regards,

------------------------------
Gabriel Aberasturi
Versia tecnologias emergentes

Original Message:
Sent: Fri May 20, 2022 03:51 PM
From: Cesar Garcia
Subject: Setting Security Headers on WAS 7

I've been searching for a way to update security headers for a ear/war application hosted on WAS 7.  I don't have IBM Http Server available to me.  I was wondering if the only way to set the Security Headers is through the ear/war application.  Any assistance or directing or resource would be appreciated.

------------------------------
Cesar Garcia
------------------------------

Cesar,

We have at web server level this type of security configurations.

Here and example for nginx and apache, IBM HTTP Server (IHS) is based on apache but not sure if will work.

https://webdock.io/en/docs/how-guides/security-guides/how-to-configure-security-headers-in-nginx-and-apache

Maybe as @Brian S Paskin pointed some headers could be set at WAS level and the others at web server level.

I have found this example don't look the product but the IHS configuration that have the security headers configured. Take in mind IHS version.

https://www.ibm.com/docs/en/siffs/2.0.2?topic=in-configuring-http-server-websphere-plug

Hope this helps.

Regards ​

------------------------------
Gabriel Aberasturi
Versia tecnologias emergentes
------------------------------

Original Message:
Sent: Tue May 24, 2022 09:49 AM
From: Cesar Garcia
Subject: Setting Security Headers on WAS 7

Hello Gabriel,

Yes, these are the headers I'm looking at.  I didn't see anywhere on WAS 7 that you could set these.  I thought you had to install the IBM Http Server to be able to set these.  Can you confirm if this is possible on WAS 7 alone.  

Cesar

------------------------------
Cesar Garcia

Original Message:
Sent: Mon May 23, 2022 02:33 AM
From: Gabriel Aberasturi
Subject: Setting Security Headers on WAS 7

Hello Cesar,

Are you talking about security header like these? I usually confgure this type of security headers at Web server/Proxy level.

- Strict-Transport-Security
- Content-Security-Policy
- X-XSS-Protection
- X-Frame-Options "SAMEORIGIN";
- X-Content-Type-Options nosniff;
- Referrer-Policy "strict-origin";
- Permissions-Policy

Regards,

------------------------------
Gabriel Aberasturi
Versia tecnologias emergentes

Original Message:
Sent: Fri May 20, 2022 03:51 PM
From: Cesar Garcia
Subject: Setting Security Headers on WAS 7

I've been searching for a way to update security headers for a ear/war application hosted on WAS 7.  I don't have IBM Http Server available to me.  I was wondering if the only way to set the Security Headers is through the ear/war application.  Any assistance or directing or resource would be appreciated.

------------------------------
Cesar Garcia
------------------------------

Hi, there are certain headers that can be turned on with tWAS, but not all. You can programmatically return whichever header you like using the HttpServletResponse.addHeader(key, value).

Brian

------------------------------
Brian S Paskin
Sr. Cloud Engineer
IBM Cloud Engineering
------------------------------

Original Message:
Sent: Fri May 20, 2022 03:51 PM
From: Cesar Garcia
Subject: Setting Security Headers on WAS 7

I've been searching for a way to update security headers for a ear/war application hosted on WAS 7.  I don't have IBM Http Server available to me.  I was wondering if the only way to set the Security Headers is through the ear/war application.  Any assistance or directing or resource would be appreciated.

------------------------------
Cesar Garcia
------------------------------

Hello Brian,

Thanks for your response.  This is what I'm understanding but just wanted to be sure I wasn't missing anything on WAS 7.  Thanks.

Cesar

------------------------------
Cesar Garcia
------------------------------

Original Message:
Sent: Mon May 23, 2022 04:48 AM
From: Brian S Paskin
Subject: Setting Security Headers on WAS 7

Hi, there are certain headers that can be turned on with tWAS, but not all. You can programmatically return whichever header you like using the HttpServletResponse.addHeader(key, value).

Brian

------------------------------
Brian S Paskin
Sr. Cloud Engineer
IBM Cloud Engineering

Original Message:
Sent: Fri May 20, 2022 03:51 PM
From: Cesar Garcia
Subject: Setting Security Headers on WAS 7

I've been searching for a way to update security headers for a ear/war application hosted on WAS 7.  I don't have IBM Http Server available to me.  I was wondering if the only way to set the Security Headers is through the ear/war application.  Any assistance or directing or resource would be appreciated.

------------------------------
Cesar Garcia
------------------------------