From: Roland Haeder <roland@mxchange.org>
Date: Thu, 7 Apr 2016 10:57:42 +0000 (+0200)
Subject: added some http-only configuration to avoid common XSS
X-Git-Url: https://git.mxchange.org/?a=commitdiff_plain;h=de6356fedf067ad343e4ec35e74e6b25963641c2;p=addressbook-war.git

added some http-only configuration to avoid common XSS
---

diff --git a/web/WEB-INF/web.xml b/web/WEB-INF/web.xml
index 4daac621..63b7ef9b 100644
--- a/web/WEB-INF/web.xml
+++ b/web/WEB-INF/web.xml
@@ -1,70 +1,73 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <web-app version="3.1" xmlns="http://xmlns.jcp.org/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd">
-	<description>An online address book application to share private and business memebers between all members. It is also possible that the user's profile can be made visible to outside.</description>
-	<display-name>Addressbook Application v1.0</display-name>
-	<context-param>
-		<param-name>javax.faces.PROJECT_STAGE</param-name>
-		<param-value>Development</param-value>
-	</context-param>
-	<servlet>
-		<servlet-name>Faces Servlet</servlet-name>
-		<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
-		<load-on-startup>1</load-on-startup>
-	</servlet>
-	<servlet-mapping>
-		<servlet-name>Faces Servlet</servlet-name>
-		<url-pattern>/faces/*</url-pattern>
-	</servlet-mapping>
-	<session-config>
-		<session-timeout>
-			30
-		</session-timeout>
-	</session-config>
-	<welcome-file-list>
-		<welcome-file>faces/index.xhtml</welcome-file>
-	</welcome-file-list>
-	<security-constraint>
-		<display-name>LoginConstraint</display-name>
-		<web-resource-collection>
-			<web-resource-name>loginArea</web-resource-name>
-			<description>Login area</description>
-			<url-pattern>/llogin/*</url-pattern>
-		</web-resource-collection>
-		<auth-constraint>
-			<description>User Authentication</description>
-			<role-name>user</role-name>
-		</auth-constraint>
-	</security-constraint>
-	<security-constraint>
-		<display-name>AdminConstraint</display-name>
-		<web-resource-collection>
-			<web-resource-name>admin</web-resource-name>
-			<description>Administrative area</description>
-			<url-pattern>/admin/*</url-pattern>
-		</web-resource-collection>
-		<auth-constraint>
-			<description>Admin authentication</description>
-			<role-name>admin</role-name>
-		</auth-constraint>
-	</security-constraint>
-	<login-config>
-		<auth-method>FORM</auth-method>
-		<realm-name>Loginbereich / Login area</realm-name>
-		<form-login-config>
-			<form-login-page>/user/login.xhtml</form-login-page>
-			<form-error-page>/user/login_error.xhtml</form-error-page>
-		</form-login-config>
-	</login-config>
-	<security-role>
-		<description>A logged-in user that has previously registered himself/herself.</description>
-		<role-name>user</role-name>
-	</security-role>
-	<mime-mapping>
-		<extension>tpl</extension>
-		<mime-type>text/plain</mime-type>
-	</mime-mapping>
-	<security-role>
-		<description>Administrativre rule</description>
-		<role-name>admin</role-name>
-	</security-role>
+    <description>An online address book application to share private and business memebers between all members. It is also possible that the user's profile can be made visible to outside.</description>
+    <display-name>Addressbook Application v1.0</display-name>
+    <context-param>
+        <param-name>javax.faces.PROJECT_STAGE</param-name>
+        <param-value>Development</param-value>
+    </context-param>
+    <servlet>
+        <servlet-name>Faces Servlet</servlet-name>
+        <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
+        <load-on-startup>1</load-on-startup>
+    </servlet>
+    <servlet-mapping>
+        <servlet-name>Faces Servlet</servlet-name>
+        <url-pattern>/faces/*</url-pattern>
+    </servlet-mapping>
+    <session-config>
+        <session-timeout>
+            30
+        </session-timeout>
+        <cookie-config>
+            <http-only>true</http-only>
+        </cookie-config>
+    </session-config>
+    <welcome-file-list>
+        <welcome-file>faces/index.xhtml</welcome-file>
+    </welcome-file-list>
+    <security-constraint>
+        <display-name>LoginConstraint</display-name>
+        <web-resource-collection>
+            <web-resource-name>loginArea</web-resource-name>
+            <description>Login area</description>
+            <url-pattern>/llogin/*</url-pattern>
+        </web-resource-collection>
+        <auth-constraint>
+            <description>User Authentication</description>
+            <role-name>user</role-name>
+        </auth-constraint>
+    </security-constraint>
+    <security-constraint>
+        <display-name>AdminConstraint</display-name>
+        <web-resource-collection>
+            <web-resource-name>admin</web-resource-name>
+            <description>Administrative area</description>
+            <url-pattern>/admin/*</url-pattern>
+        </web-resource-collection>
+        <auth-constraint>
+            <description>Admin authentication</description>
+            <role-name>admin</role-name>
+        </auth-constraint>
+    </security-constraint>
+    <login-config>
+        <auth-method>FORM</auth-method>
+        <realm-name>Loginbereich / Login area</realm-name>
+        <form-login-config>
+            <form-login-page>/user/login.xhtml</form-login-page>
+            <form-error-page>/user/login_error.xhtml</form-error-page>
+        </form-login-config>
+    </login-config>
+    <security-role>
+        <description>A logged-in user that has previously registered himself/herself.</description>
+        <role-name>user</role-name>
+    </security-role>
+    <mime-mapping>
+        <extension>tpl</extension>
+        <mime-type>text/plain</mime-type>
+    </mime-mapping>
+    <security-role>
+        <description>Administrativre rule</description>
+        <role-name>admin</role-name>
+    </security-role>
 </web-app>