Details

Use the transport-guarantee attribute to ensure SSL protection when accessing all applications. This can be overridden on a per application basis in the application configuration.

Rationale:

By default, when accessing applications SSL will be enforced to protect information sent over the network. By using the transport-guarantee attribute within web.xml, SSL is enforced.

Note: This requires SSL to be configured.

Solution

Set transport-guarantee to CONFIDENTIAL in $CATALINA_HOME/conf/web.xml:

CONFIDENTIAL

Impact:

If the data protection level is set to INTEGRAL or CONFIDENTIAL, and the client is not already using SSL, then the client is redirected to the same URI, but using port 443 or the port defined for the redirectPort attribute in the element in server.xml.

Default Value:

By default this configuration is not present.

References:

https://www.owasp.org/index.php/Securing_tomcat

Supportive Information

The following resource is also helpful.

• https://workbench.cisecurity.org/files/2506

This security hardening control applies to the following category of controls within NIST 800-53: System and Communications Protection.This control applies to the following type of system Unix.

References

• 800-53|SC-8
• CSCv7|14.4

Source

• Tenable.com/audits