<session-config>
<session-timeout>30</session-timeout>
<tracking-mode>COOKIE</tracking-mode>
+ <cookie-config>
+ <http-only>true</http-only>
+ <secure>true</secure>
+ </cookie-config>
</session-config>
<filter>
<filter-name>SecurityXssFilter</filter-name>
<location>/WEB-INF/jsp/error.jsp</location>
</error-page>
+ <!-- Require HTTPS for everything except /img (favicon) and /css. -->
+ <security-constraint>
+ <web-resource-collection>
+ <web-resource-name>HTTPSOnly</web-resource-name>
+ <url-pattern>/*</url-pattern>
+ </web-resource-collection>
+ <user-data-constraint>
+ <transport-guarantee>CONFIDENTIAL</transport-guarantee>
+ </user-data-constraint>
+ </security-constraint>
+ <security-constraint>
+ <web-resource-collection>
+ <web-resource-name>HTTPSOrHTTP</web-resource-name>
+ <url-pattern>*.ico</url-pattern>
+ <url-pattern>/img/*</url-pattern>
+ <url-pattern>/css/*</url-pattern>
+ </web-resource-collection>
+ <user-data-constraint>
+ <transport-guarantee>NONE</transport-guarantee>
+ </user-data-constraint>
+ </security-constraint>
+
</web-app>
\ No newline at end of file