Difference between revisions of "Tomcat hardening"

From TempusServa wiki
Jump to navigation Jump to search
old>Admin
m (28 revisions imported)
 
(17 intermediate revisions by one other user not shown)
Line 5: Line 5:


=== Secure SSL ciphers (recommended) ===
=== Secure SSL ciphers (recommended) ===
For the HTTP connector please use the following ciphers
Change the HTTP connector please use the following ciphers (<tomcat>\conf\server.xml)


   TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256
   TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256


List updated: 2018-02-07
List updated: 2018-02-07


=== Secure headers (recommended) ===
=== Secure headers (recommended) ===
In the SERVER web.xml (<tomcat>\conf\web.xml) add the following sections
In the SERVER web.xml (<tomcat>\conf\web.xml) uncomment the following sections


   <filter>
   <filter>
Line 19: Line 18:
     <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
     <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
     <async-supported>true</async-supported>
     <async-supported>true</async-supported>
    <init-param>
      <param-name>antiClickJackingOption</param-name>
      <param-value>SAMEORIGIN</param-value>
    </init-param>
   </filter>
   </filter>


Line 26: Line 29:
   </filter-mapping>
   </filter-mapping>


=== CRSF filter (optional) ===
=== Additional CRSF filtering (optional) ===
In the APPLICATION web.xml (<tomcat>\webapps\<app>\WEB_INF\web.xml) add the following sections
The TS platform is allrady safe from CRSF attacks. CRSF tokens are generated at login and required for all data altering transactions.
 
The TS implemetation does not use rotating or pagespecific CRSF tokens, so if additional security is needed use the [https://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project OWASP implementation].
 
=== Additional security filters (optional) ===
Tempus Serva comes with multiple additional security features
* Lock user session to IP
* Lock service to listed countries
* Use passcode sent by SMS
 
The filters are activated by uncommenting the code in the applications /WEB-INF/web.xml.
 
Note that the filters can be set any part of the application: login, designer, webiterface and rest.
 
=== Validating your site ===
You can use the following services to check the security of your intsallation
 
==== Test SSL ====
Tip: Remember to check "Do not show the results on the boards"


  <filter>
[https://www.ssllabs.com/ssltest/ https://www.ssllabs.com/ssltest/]
    <filter-name>CsrfFilter</filter-name>
    <filter-class>org.apache.catalina.filters.CsrfPreventionFilter</filter-class>
    <init-param>
      <param-name>entryPoints</param-name>
      <param-value>/login,/loginsso,/loginoauth,/mainpublic,/webinterface,/login.do</param-value>
    </init-param>
  </filter>


  <filter-mapping>
==== Test Headers ====
    <filter-name>CsrfFilter</filter-name>
https://tools.geekflare.com/report/header-security-test
    <url-pattern>/*</url-pattern>
  </filter-mapping>

Latest revision as of 11:55, 10 December 2021


Update tomcat (recommended)

Versions below 8 contain vulnerbilities

Secure SSL ciphers (recommended)

Change the HTTP connector please use the following ciphers (<tomcat>\conf\server.xml)

 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256

List updated: 2018-02-07

Secure headers (recommended)

In the SERVER web.xml (<tomcat>\conf\web.xml) uncomment the following sections

 <filter>
   <filter-name>httpHeaderSecurity</filter-name>
   <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
   <async-supported>true</async-supported>
   <init-param>
      <param-name>antiClickJackingOption</param-name>
      <param-value>SAMEORIGIN</param-value>
   </init-param>
 </filter>
 <filter-mapping>
   <filter-name>httpHeaderSecurity</filter-name>
   <url-pattern>/*</url-pattern>
 </filter-mapping>

Additional CRSF filtering (optional)

The TS platform is allrady safe from CRSF attacks. CRSF tokens are generated at login and required for all data altering transactions.

The TS implemetation does not use rotating or pagespecific CRSF tokens, so if additional security is needed use the OWASP implementation.

Additional security filters (optional)

Tempus Serva comes with multiple additional security features

  • Lock user session to IP
  • Lock service to listed countries
  • Use passcode sent by SMS

The filters are activated by uncommenting the code in the applications /WEB-INF/web.xml.

Note that the filters can be set any part of the application: login, designer, webiterface and rest.

Validating your site

You can use the following services to check the security of your intsallation

Test SSL

Tip: Remember to check "Do not show the results on the boards"

https://www.ssllabs.com/ssltest/

Test Headers

https://tools.geekflare.com/report/header-security-test