Enable Cross-Site Request Forgery (CSRF) protection
CSRF protection is disabled by default. You can enable or disable CSRF protection as follows:
-
To enable CSRF protection, enter
ecconfigure --webCsrfProtection=true
. Examples using the default directory:-
For Linux, enter
/opt/cloudbees/sda//bin/ecconfigure --webCsrfProtection=true
-
For Windows, enter
C:\Program Files\CloudBees\Software Delivery Automation\bin>ecconfigure --webCsrfProtection=true
-
-
To disable CSRF protection, enter
ecconfigure --webCsrfProtection=false
. Examples using the default directory:-
For Linux, enter
/opt/cloudbees/sda//bin/ecconfigure --webCsrfProtection=false
-
For Windows, enter
C:\Program Files\CloudBees\Software Delivery Automation\bin>ecconfigure --webCsrfProtection=false
-
Configure HTTP Strict Transport Security (HSTS)
HSTS a simple and widely supported standard to protect visitors by ensuring that their browsers always connect to a website over HTTPS.
To configure:
-
Open the
<Tomcat>/conf/web.xml
file in a text editor. -
Remove the following:
-
httpHeaderSecurity filter
definition -
<filter-mapping>
section
-
-
Add the
hstsMaxAgeSeconds
parameter.<filter> <filter-name>httpHeaderSecurity</filter-name> <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class> <init-param> <param-name>hstsMaxAgeSeconds</param-name> <param-value>31536000</param-value> </init-param> <async-supported>true</async-supported> </filter> <filter-mapping> <filter-name>httpHeaderSecurity</filter-name> <url-pattern>/*</url-pattern> <dispatcher>REQUEST</dispatcher> </filter-mapping>
-
Save changes.
-
Restart Tomcat.