Enabling HTTP Response Headers to Secure the FME Server Web Application Server

Introduction

FME Server ships Apache Tomcat as the FME Web Application Server Service. Whenever a request is made within FME Server, it returns a response. As part of this response, non-standard headers can be enabled for enhanced security. 

If you have performed a security penetration test against FME Server and have been unable to find remediation steps to one or more of the reported issues on the FME Community, please contact Safe Software Support.  

How do I enable an HTTP response header?

X-Content-Type-Options

To enable this header, please follow the instructions below: 

1. Run a text editor as an administrator and open the web.xml file located in <InstallDir>\Utilities\tomcat\conf 
   1. Remove the comment block characters <!-- --> (or # characters from the beginning of each line) to uncomment:

      <filter>
      <filter-name>httpHeaderSecurity</filter-name>
      <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
      <async-supported>true</async-supported>
      </filter>

   2. Also, uncomment:

      <filter-mapping>
      <filter-name>httpHeaderSecurity</filter-name>
      <url-pattern>/*</url-pattern>
      <dispatcher>REQUEST</dispatcher>
      </filter-mapping>

2. Save this file and restart the FME Web Application Server Service.
3. To verify this change has been applied, open the FME Server Web UI > Developer Tools > Network > Click on a request > Headers > and you should see the header X-Content-Type-Options:nosniff

Note: Please be aware that when this header is set, that is, sniffing content is disabled, for jobs that are run under the Data Streaming Service, if the mime type of the response has not been set correctly the output will not display in the browser and instead revert to downloading the file. 

X-Frame-Options

Follow the instructions documented on FME Server Apache Tomcat Vulnerability with X-Frame-Options header to enable this header. 

Strict-Transport-Security

To enable the HSTS header, FME Server must first be configured for HTTPS. Once you have set this up, follow the instructions below: 

1. Run a text editor as an administrator and open the web.xml file located in <InstallDir>\Utilities\tomcat\conf
   1. Remove the comment block characters <!-- --> (or # characters from the beginning of each line) to uncomment:

      <filter>
      <filter-name>httpHeaderSecurity</filter-name>
      <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
      <async-supported>true</async-supported>
      </filter>

   2. then above the <async-supported> tag add:

      <init-param>
      <param-name>hstsMaxAgeSeconds</param-name>
      <param-value>31536000</param-value>
      </init-param>

   3. Lastly, uncomment:

      <filter-mapping>
      <filter-name>httpHeaderSecurity</filter-name>
      <url-pattern>/*</url-pattern>
      <dispatcher>REQUEST</dispatcher>
      </filter-mapping>

2. Restart the FME Web Application Server Service.
3. To verify this change has been applied open the FME Server Web UI > Developer Tools > Network > Click on a request > Headers and you should see the header strict-transport-security: max-age=31536000

Content-Security-Policy

The CSP header is not supported by Apache Tomcat’s in-built filters; for this reason, it is not currently possible to enable this header. 

To request support for this header, please contact Safe Software Support and quote FMESERVER-13532. Your case will be assigned to the internal ticket and you will be notified if this is resolved.