Enable Cross-Site Request Forgery (CSRF) protection
CSRF protection is disabled by default. You can enable or disable CSRF protection as follows:
-
To enable CSRF protection, enter
ecconfigure --webCsrfProtection=true. Examples using the default directory:-
For Linux, enter
/opt/cloudbees/sda//bin/ecconfigure --webCsrfProtection=true -
For Windows, enter
C:\Program Files\CloudBees\Software Delivery Automation\bin>ecconfigure --webCsrfProtection=true
-
-
To disable CSRF protection, enter
ecconfigure --webCsrfProtection=false. Examples using the default directory:-
For Linux, enter
/opt/cloudbees/sda//bin/ecconfigure --webCsrfProtection=false -
For Windows, enter
C:\Program Files\CloudBees\Software Delivery Automation\bin>ecconfigure --webCsrfProtection=false
-
Configure HTTP Strict Transport Security (HSTS)
HSTS a simple and widely supported standard to protect visitors by ensuring that their browsers always connect to a website over HTTPS.
To configure:
-
Open the
<Tomcat>/conf/web.xmlfile in a text editor. -
Remove the following:
-
httpHeaderSecurity filterdefinition -
<filter-mapping>section
-
-
Add the
hstsMaxAgeSecondsparameter.<filter> <filter-name>httpHeaderSecurity</filter-name> <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class> <init-param> <param-name>hstsMaxAgeSeconds</param-name> <param-value>31536000</param-value> </init-param> <async-supported>true</async-supported> </filter> <filter-mapping> <filter-name>httpHeaderSecurity</filter-name> <url-pattern>/*</url-pattern> <dispatcher>REQUEST</dispatcher> </filter-mapping> -
Save changes.
-
Restart Tomcat.