Objective

To mitigate Cross-Site Scripting (XSS) risks by implementing a custom XSS protection filter and security headers.

1. Copying the Class File

• Place the appropriate class file in:

<AE_Application>/aeui/WEB-INF/classes

Available Class Files

• For versions below 8.0:
  • AeXssProtectionFilter_xss1.class → Enables XSS protection
  • AeXssProtectionFilter_xss0.class → Disables XSS protection
• For version 8.0:
  • AeXssProtectionFilter.class

👉 Select the appropriate file based on the AE version and requirement.

👉 Ensure the final file name placed in the classes folder is for 8.0:

AeXssProtectionFilter.class

2. Updating web.xml

File Location

<AE_Application>/aeui/WEB-INF/web.xml

Configuration

Add the following before the <security-constraint> tag:

<filter>
    <filter-name>AeXssFilter</filter-name>
    <filter-class>AeXssProtectionFilter</filter-class>
</filter>

<filter-mapping>
    <filter-name>AeXssFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

3. HSTS Configuration (Optional)

For max-age configuration, HSTS headers can be added in:

https://support.automationedge.com/portal/en/kb/articles/hsts-implementation

4. Compatibility Information

• XSS protection headers are fixed in AE version 8.1 and above
• Manual configuration is required only for:
  • Versions below 8.1
  • Including 8.0 (using provided class file)
    

5. Additional Headers

• Other required security headers can be configured using similar filter-based implementation in web.xml



Validation

1. Restart the AE application
2. Open browser → Press F12
3. Go to Network tab → Response Headers
4. Verify XSS-related headers are present

Important Notes

• Ensure correct class file is used as per version

• Place it in:

aeui/WEB-INF/classes