Modern WAF defense

Update Tomcat 9.0.116
Add Modern WAF defense, rewrite XSS, SQL, Google, Command, File and Suspicious characters injections
Add new filter Java RCE, XXE , AI User-Agent injections
Add IBackendErrorMessage in BackendService, custom default error model
Fix WAF Filter, add ANTI-DOS Prevent loading massive files into RAM
Improvements, reduce init XML MimeType, validate same time Host & UserAgent, get RemoteAddr
Fix Tomcat Connector customize, Configuration Http connector by default
Add Tomcat Security role basic ACL, add Tomcat ErrorReport valve showReport and showServerInfo
Fix WebSecurityConfig authorizeHttpRequests, including /error
Fix logback, add logger HTTPMethodOverrideFilter
Clean Spring Profile withTomcat or withoutTomcat
Limit msg log  RequestRejectedException
Clean ApiBackend, ApplicationTestConfig, DefaultErrorController, web.xml

Forwarded headers Client and Transfer headers Backend Server, Cors headers exposed

Remove all headers client at true by default (see allowed list)
Add new keys xForwardedHeaders for X-Forwarded-* headers
Add preconfigured forwarded back list headers
Add BackendServiceImpl, Assert test, remove Setter (TODO new config)
Transfer X-Forwarded headers  and configured client headers
Add Mock endpoints data John Doe

Reorganize WAFFilter Multipart, CorsConfiguration, Cookie client stateful

WAFFilter Wrap MultipartFiles, add WAFMultipartRequestWrapper magic numbers
ApiBackend remove BackendResource all in memory
BackendServiceImpl add constructor and Setter
Fix CorsConfigurationSource missing default OPTION method in allowedCorsHttpMethods and fix default CORS allowedHeaders
Fix Cookie client stateful managed POST,PUT,PATCH, remove DefaultCookieSpecRegistry
Fix default values settings.properties
Fix file-size-threshold at 2MB
Add Security Policy
Fix remove Autowired
Fix userAgent Pattern
Fix Spring devtools
Clean StatusController
Clean packages
Update Docs

Security RateLimit, Content Security Policy and Referrer-Policy

Add Content Security Policy (CSP) by default, basic rules
Add StrictTransportSecurity and Referrer-Policy no-referrer by default
Add RateLimit interceptor, 1000 per minutes and per-IP-address
Fix GlobalDefaultExceptionHandler, special case ClientAbort
Fix DefaultErrorController, add missing methods PUT, PATCH and DELETE
Fix StatusController, add startup date and days
Back UserAgent blocked at false by default
Split WebConfig in separate WebFilterConfig and WebMcvConfig
Clean java package
Update Docs

Improve Security Predicate Hostnames and UserAgent

Fix Predicate for Hostnames, fix Header Values/Params
Fix improve Security Header, remove SQLi for Bearer Token
Fix Predicate isUserAgentBlocked validate User-Agent
Shared CookieRedirectInterceptor
Remove redundant addViewControllers Web endpoints /error /notfound /forbidden
Improve performance Jdk13, Spring 5, Tomcat 9
Add new resources Postman-Echo performance report 2025 in Pdf and Png
Clean pom.xml, java package and comments
Update Docs

Security WAFFilter and WAFPredicate patterns

Fix Spring Security dependencies and last Tomcat 9
Fix improve security WAFFilter and WAFPredicate
Add Config User-Agent filter, Hostname pattern filter
Fix maven war plugin modern version 3.4.0
Fix JavaDoc and dependencies
Clean package
Update documentation

Fix Pattern XSS payloads

Propagation Cookie Redirection

Fix and rename CookieRedirectInterceptor, Fix Cookies and Set-Cookie during a redirection http status 3xx.
Add predicate parameters
Fix JavaDoc
Clean package
Update documentation

Manage Cookie, Gateway is stateless!

Fix ClientHttp, forced IGNORE_COOKIES to be a Gateway stateless!
Manage manually the Redirections, fix propagation Cookie and Set-Cookie during a redirection
Fix ApiBackend list SET_COOKIE, TRANSFER_ENCODING chunked
Fix WAFFilter, waf Predicate getXSSPatterns
Add config parameters WAFPredicate
Fix improve Xss Pattern regexp
Upgrade Tomcat 9.0.104
Clean package

CORS Security configuration Spring 5/6

Add new CORS Security configuration Spring 5/6
Update Doc settings.properties new config CORS
Update Doc, default CORS Security configuration
Clean neutral Jackson2ObjectMapperBuilder, remove mapper.date
Add testXError 400, 401 and 500 in RestApiTest
Fix NexusHttpException in BackendServiceImp
Add example standardized method test Put or Post ListEntity
Add postDataList MockController
Update Spring Security at version 5.8.15
Add handleMethodNotSupportedException   return 404 in GlobalDefaultExceptionHandler
Change Cors Mappings /api/**
Add disableCookieManagement ApplicationTestConfig
Clean neutral Jackson2ObjectMapperBuilder
Remove mapper serializer date and patternDateTimeZone
Remove hallowEtagHeader Filter
Update README.md

Fix missing method addCorsMappings

Release Notes:
Fix missing method addCorsMappings /*
HttpClient4 disableCookieManagement
Change BackendServiceImpl get ResponseBody as ByteArray
BackendServiceImpl remove let back BAD_REQUEST!
Move ErrorMessage in Api package from the Backend
Fix logback.xml, add org.apache.http.headers at OFF
Add CompliantLineParser in HttpConnectionFactory
Add new constructor in BackendServiceImpl isHandleBackendEntity true/false
Add static list HttpStatusError available
BackendServiceImpl remove EntityError
ApiBackend remove EntityError
Add "WWW-Authenticate" header for tests postman-echo
Fix manage list HttpHeaders back from the Backend Server
Fix supportsReadStreaming InputStreamResource
Fix Errors RestControllerTest
Update ApplicationTestConfig and comment
Update OpenApi-ui springdoc 1.8
Clean code and comments
Update Spring Framework at version 5.3.39
Add Generics void logger
Clean code