Enable XSS Protection
In order to use HATS support for
XSS protection in projects migrated from HATS V8.0.x, V9.0.x , manually
add the HatsHeaderSecurityFilter, to the Web Deployment Descriptor
file (web.xml). To add the filter to the web.xml file, follow the
below steps:
- From the HATS Toolkit, switch to the Navigator view of the HATS perspective.
- Open the web.xml file located in the Web Content\WEB-INF folder of your project.
- Click the Source tab to view the source of this file.
- Copy the following statements after the last defined filter (search for the last
</filter>).<filter> <description> This filter will be invoked to create the security header for HATS </description> <display-name>HatsHeaderSecurityFilter</display-name> <filter-name>HatsHeaderSecurityFilter</filter-name> <filter-class>com.ibm.hats.runtime.filters.HatsHeaderSecurityFilter</filter-class> <async-supported>false</async-supported> <init-param> <param-name>Content-Security-Policy</param-name> <param-value>YES</param-value> </init-param> <init-param> <param-name>X-XSS-Protection</param-name> <param-value>YES</param-value> </init-param> <init-param> <param-name>X-Content-Type-Options</param-name> <param-value>YES</param-value> </init-param> </filter> - Copy the following statements after the last defined filter mapping
(search for the last
</filter-mapping>).
The User has to provide the URL-pattern value, which will be secured from XSS attack.<filter-mapping> <filter-name>HatsHeaderSecurityFilter</filter-name> <url-pattern> </url-pattern> </filter-mapping> - Save the file.
Note:
If this project is already running on the server,
republish the application so that the WebSphere Application Server
can pick up the changes in the web.xml file.