Disabling auto deployment of applications
Details Tomcat allows auto deployment of applications while Tomcat is running. It is recommended that this capability be disabled. Rationale:...
- Home
- Security Hardening
- CIS Apache Tomcat 9 L2 V1.1.0
CIS Apache Tomcat 9 L2 V1.1.0
Do not allow additional path delimiters – ALLOW_BACKSLASH
Details Being able to specify different path-delimiters on Tomcat creates the possibility that an attacker can access applications that were...Do not allow additional path delimiters – ALLOW_ENCODED_SLASH
Details Being able to specify different path-delimiters on Tomcat creates the possibility that an attacker can access applications that were...Do not resolve hosts on logging valves
Details Setting enableLookups to true on Connector will result in a DNS look-ups to obtain the host name of the...Enable strict servlet Compliance
Details The STRICT_SERVLET_COMPLIANCE influences Tomcat’s behavior in several subtle ways. See the References below for the complete list. It is...Ensure className is set correctly in context.xml
Details Ensure the className attribute is set to AccessLogValve. The className attribute determines the access log valve to be used...Ensure Sever Header is Modified To Prevent Information Disclosure
Details The server header is a vanity header developed to help identify the underlying technology in a server for troubleshooting...Force SSL for all applications
Details Use the transport-guarantee attribute to ensure SSL protection when accessing all applications. This can be overridden on a per...Remove extraneous files and directories – @CATALINA_HOME@/webapps/docs
Details The installation may provide example applications, documentation, and other directories which may not serve a production use. Rationale: Removing...Remove extraneous files and directories – @CATALINA_HOME@/webapps/examples
Details The installation may provide example applications, documentation, and other directories which may not serve a production use. Rationale: Removing...