Introduction
FME Flow ships Apache Tomcat as the FME Web Application Server Service. Whenever a request is made within FME Flow, it returns a response. As part of this response, non-standard headers can be enabled for enhanced security.
If you have performed a security penetration test against FME Flow and have been unable to find remediation steps to one or more of the reported issues on the FME Community, please contact Safe Software Support.
As of FME 2025.1, now calling the services directly (e.g.
https://localhost/fmejobsubmitter/Dashboards/AverageRunningTime.fmw),
then the X-Content-Type-Options:nosniff header is applied
How do I enable an HTTP response header?
X-Content-Type-Options
To enable this header, please follow the instructions below:
1. Run a text editor as an administrator and open the web.xml file located in <InstallDir>\Utilities\tomcat\conf
Remove the comment block characters <!-- --> (or # characters from the beginning of each line) to uncomment:
<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<async-supported>true</async-supported>
</filter>Also, uncomment:
<filter-mapping>
<filter-name>httpHeaderSecurity</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>2. Save this file and restart the FME Web Application Server Service.
3. To verify this change has been applied, open the FME Flow Web UI > Developer Tools > Network > Click on a request > Headers > and you should see the header X-Content-Type-Options:nosniff
Please be aware that when this header is set, that is, sniffing content is disabled, for jobs that are run under the Data Streaming Service, if the mime type of the response has not been set correctly, the output will not display in the browser and instead revert to downloading the file.
X-Frame-Options
Follow the instructions documented on FME Flow Apache Tomcat Vulnerability with X-Frame-Options header to enable this header.
Strict-Transport-Security
To enable the HSTS header, FME Flow must first be configured for HTTPS. Once you have set this up, follow the instructions below:
1. Run a text editor as an administrator and open the web.xml file located in <InstallDir>\Utilities\tomcat\conf
Remove the comment block characters <!-- --> (or # characters from the beginning of each line) to uncomment:
<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<async-supported>true</async-supported>
</filter>then above the <async-supported> tag add:
<init-param>
<param-name>hstsMaxAgeSeconds</param-name>
<param-value>31536000</param-value>
</init-param>Lastly, uncomment:
<filter-mapping>
<filter-name>httpHeaderSecurity</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>2. Restart the FME Web Application Server Service.
3. To verify this change has been applied, open the FME Flow Web UI > Developer Tools > Network > Click on a request > Headers, and you should see the header strict-transport-security: max-age=31536000
Content-Security-Policy
The CSP header is not supported by Apache Tomcat’s in-built filters; therefore, it is not currently possible to enable this header.
To request support for this header, please contact Safe Software Support and quote FMESERVER-13532. Your case will be assigned an internal ticket, and you will be notified when it is resolved.
As of FME 2025.1, this has been resolved.