added some http-only configuration to avoid common XSS

[addressbook-war.git] / web / WEB-INF / web.xml

diff --git a/web/WEB-INF/web.xml b/web/WEB-INF/web.xml
index f827361252a2efb0e689abe59ef9412e8e876433..63b7ef9bae18105577fa22ede52dfbde4c6ea8aa 100644 (file)
--- a/web/WEB-INF/web.xml
+++ b/web/WEB-INF/web.xml
@@ -1,5 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <web-app version="3.1" xmlns="http://xmlns.jcp.org/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd">
+    <description>An online address book application to share private and business memebers between all members. It is also possible that the user's profile can be made visible to outside.</description>
     <display-name>Addressbook Application v1.0</display-name>
     <context-param>
         <param-name>javax.faces.PROJECT_STAGE</param-name>
@@ -16,8 +17,11 @@
     </servlet-mapping>
     <session-config>
         <session-timeout>
-                       30
-               </session-timeout>
+            30
+        </session-timeout>
+        <cookie-config>
+            <http-only>true</http-only>
+        </cookie-config>
     </session-config>
     <welcome-file-list>
         <welcome-file>faces/index.xhtml</welcome-file>