Hello,
I’ve got a vaadin application (8.4.5). It runs on Tomee (7.0.4). A group did vulnerability tests.
They gave some security advices:
1.) Need to set “X-Frame-Options” to avoid the user scam.
How can I did this?
I did this in the servlet:
[...]
@Override
protected void service( HttpServletRequest request, HttpServletResponse response ) throws ServletException, IOException {
response.setHeader("X-Frame-Options", "DENY");
super.service(request, response);
}
[...]
Is it ok or not?
2.) Need to set “Secure” flag in cookie.
My “solution” is not nice - I think. And doesn’t work. 
First: in the UI’s init method:
[...]
Cookie[] cs = VaadinService.getCurrentRequest().getCookies();
if ( cs != null ) {
for ( Cookie c : cs ) {
if ( "JSESSIONID".equals(c.getName()) && BooleanUtils.isFalse(c.getSecure()) ) {
c.setSecure(true);
VaadinService.getCurrentResponse().addCookie(c);
}
}
}
[...]
So this code has not any affect ( → Firefox → F12 → Storage tab → check JESSIONID → Secure flag false 
).
Other way: in the web.xml:
[...]
<session-config>
<session-timeout>30</session-timeout>
<cookie-config>
<http-only>true</http-only>
<secure>true</secure>
</cookie-config>
</session-config>
[...]
If I use this setting (this row: true), the session expire immediately. What did I do wrong?
3.) Need to hide version numbers (vaadin, athmosphere).
I think it’s impossible, because the version number is part of vaadin. It uses for reference to bootstrap.
4.) There are no error pages.
There is an custom error handler. I think these error pages have to set in tomee…
Thx,
Peter