HTTP Header Security Filter (antiClickJackingEnabled x-frame-options) doesn't work with mod_proxy as expected

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

HTTP Header Security Filter (antiClickJackingEnabled x-frame-options) doesn't work with mod_proxy as expected

Michele Mase'
I'm trying to configure the header x-frame-options in tomcat8

web.xml:
<filter>
        <filter-name>httpHeaderSecurity</filter-name>

<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
        <async-supported>true</async-supported>
        <init-param>
                <param-name>antiClickJackingOption</param-name>
                <param-value>SAMEORIGIN</param-value>
        </init-param>
</filter>
<filter-mapping>
    <filter-name>httpHeaderSecurity</filter-name>
    <url-pattern>/*</url-pattern>
    <dispatcher>REQUEST</dispatcher>
</filter-mapping>

Testing it with tomcat works as expected:

curl -I <a href="http://ip_of_tomcat:port_of_tomcat/myapp/">http://ip_of_tomcat:port_of_tomcat/myapp/
HTTP/1.1 200 OK
Strict-Transport-Security: max-age=31536000;includeSubDomains
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Set-Cookie: JSESSIONID=5B3F02AE2484BB1A66B1875DCC4337BD.myapp1;
Path=/myapp; Secure; HttpOnly
Content-Type: text/html;charset=ISO-8859-1
Transfer-Encoding: chunked
Date: Thu, 25 Jun 2020 12:36:14 GMT
Server:

Testing it with tomcat behind an apache reverse proxy with mod_proxy_http
does not work as expected

web.xml: the same as above
server.xml
        <Connector port="port_of_tomcat" protocol="HTTP/1.1" server=" "
        connectionTimeout="20000"
        ProxyPort="443"
        ProxyName="xframe.example.coms"
        scheme="https"
        secure="true"
        redirectPort="port_of_tomcat_plus_one" />

apache.conf
<VirtualHost ip_of_tomcat:80>
ServerName xframe.example.com
ProxyPass / <a href="http://ip_of_tomcat:port_of_tomcat/">http://ip_of_tomcat:port_of_tomcat/
ProxyPassReverse / <a href="http://ip_of_tomcat:port_of_tomcat/">http://ip_of_tomcat:port_of_tomcat/
</VirtualHost>

curl -I https://xframe.example.com/myapp/
HTTP/1.1 200 OK
Date: Thu, 25 Jun 2020 13:20:48 GMT
Server:
Strict-Transport-Security: max-age=31536000;includeSubDomains
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Content-Type: text/html;charset=ISO-8859-1
Transfer-Encoding: chunked
Set-Cookie: JSESSIONID=7F94B0FFC3905A6CA4B4C192E0559AF4.myapp1;
Path=/myapp; Secure; HttpOnly
Vary: Accept-Encoding,User-Agent

The x-frame-options header is missing. The only workaround I have found is
by enabling mod_headers in apache.conf, i.e:

<IfModule headers_module>
    <IfVersion >= 2.4.7 >
        Header always setifempty X-Frame-Options SAMEORIGIN
    </IfVersion>
    <IfVersion < 2.4.7 >
        Header always merge X-Frame-Options SAMEORIGIN
    </IfVersion>
</IfModule>

And it finally works:
curl -I https://xframe.example.com/myapp/
HTTP/1.1 200 OK
Date: Thu, 25 Jun 2020 13:24:48 GMT
Server:
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=31536000;includeSubDomains
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Content-Type: text/html;charset=ISO-8859-1
Transfer-Encoding: chunked
Set-Cookie: JSESSIONID=990791DCF707F972D7C2CF09D47F4BE4.myapp1;
Path=/myapp; Secure; HttpOnly
Vary: Accept-Encoding,User-Agent

Is it possible to use x-frame-options with mod_proxy without also having to
use mod_headers?
I would like to configure only tomcat and not apache.

--
Michele Masè