Goal
Configure Content Security Policy (CSP) and X-XSS-Protection HTTP response headers for App Studio deployed on Tomcat.
Environment
App Studio 4.14.0
Apache Tomcat 9
Reverse proxy (for example, NGINX) in front of App Studio
Guide
Configure headers using Tomcat web.xml
You can define security-related headers directly in Tomcat’s deployment descriptor:
<filter>
<filter-name>HttpHeaderSecurityFilter</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<init-param>
<param-name>hstsEnabled</param-name>
<param-value>false</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>HttpHeaderSecurityFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>To add specific headers such as CSP or X-XSS-Protection, use the web.xml configuration with addHeader:
<filter>
<filter-name>HeaderFilter</filter-name>
<filter-class>org.apache.catalina.filters.AddDefaultCharsetFilter</filter-class>
<init-param>
<param-name>Content-Security-Policy</param-name>
<param-value>default-src 'self'; script-src 'self'</param-value>
</init-param>
<init-param>
<param-name>X-XSS-Protection</param-name>
<param-value>0</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>HeaderFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>Configure headers in NGINX reverse proxy
If App Studio runs behind NGINX, you can inject headers at the proxy layer:
server {
location / {
proxy_pass http://appstudio_backend;
add_header Content-Security-Policy "default-src 'self'; script-src 'self'" always;
add_header X-XSS-Protection "0" always;
}
}Configure headers in JSP/HTML pages
As a last option, headers can be set directly in JSP or HTML files:
<%@ page language="java" %>
<%
response.setHeader("Content-Security-Policy", "default-src 'self'; script-src 'self'");
response.setHeader("X-XSS-Protection", "0");
%>Note: This method requires modifying application code and is generally less preferred than proxy or container-level configuration.