Disable Unused Connectors
Details The default installation of Tomcat includes connectors with default settings. These are traditionally set up for convenience. It is...
- Home
- Security Hardening
- CIS Apache Tomcat 7 L2 V1.1.0 Middleware
CIS Apache Tomcat 7 L2 V1.1.0 Middleware
Disable X-Powered-By HTTP Header and Rename the Server Value for all Connectors
Details The xPoweredBy setting determines if Apache Tomcat will advertise its presence via the XPowered-By HTTP header. It is recommended...Disabling auto deployment of applications
Details Tomcat allows auto deployment of applications while Tomcat is running. It is recommended that this capability be disabled. Solution...Do not allow additional path delimiters (ALLOW_BACKSLASH)
Details Being able to specify different path-delimiters on Tomcat creates the possibility that an attacker can access applications that were...Do not allow custom header status messages
Details Being able to specify custom status messages opens up the possibility for additional headers to be injected. If custom...Do not allow additional path delimiters (ALLOW_ENCODED_SLASH)
Details Being able to specify different path-delimiters on Tomcat creates the possibility that an attacker can access applications that were...Do not resolve hosts on logging valves
Details Setting enableLookups to true on Connector requires a DNS look-up before logging the information. This adds additional resources when...Ensure className is set correctly in context.xml
Details Ensure the className attribute is set to AccessLogValve. The className attribute determines the access log valve to be used...Force SSL for all applications
Details Use the transport-guarantee attribute to ensure SSL protection when accessing all applications. This can be overridden to be disabled...Remove extraneous files and directories (CONFIG_DIR/Catalina/localhost/host-manager.xml)
Details The installation may provide example applications, documentation, and other directories which may not serve a production use. Solution Perform...