Some time ago, I was working on a project where I had to fix an issue that was raised by our OWASP Zap scanner, which is a free security tool that runs in the test phase of the Jenkins build of the project. It checks for security vulnerabilities that you want to prevent from going to Production.

The error / warning that was raised looked like this:

X-Frame-Options header is not included in the HTTP response to protect against ‘ClickJacking’ attacks.

That’s pretty generic and anything could’ve cause that. The odd thing was that we actually had anti-clickjacking libraries in place for our service, so where was this coming from?

After some digging around in the logs I noticed something I had not expected to find. There were still Tomcat example apps exposed in the Tomcat server that was running our service. We used Docker for setting up our Tomcat environments and apparently the base Tomcat Docker image isn’t stripped as much as you might like. I’d expected the Docker base image didn’t contain any example apps.

The fix is easy, but you have to know about it, and it took me some time to figure out the problem, which is why I decided to share this small piece of information.

Add the following to you Dockerfile to remove the base webapps coming along with Tomcat and prevent any security issues that might unknowingly occur in these example apps:

# Remove the default Tomcat folders (which will otherwise be exposed in production!)
RUN rm -rf /usr/local/tomcat/webapps/*

This was yet another lesson for me to not blindly rely on third-party software / docker images / libaries. Always keep thinking about what you use and deploy.