Difference between revisions of "Tomcat hardening"

Update tomcat (recommended)

Versions below 8 contain vulnerbilities

Secure SSL ciphers (recommended)

Change the HTTP connector please use the following ciphers (<tomcat>\conf\server.xml)

 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256

List updated: 2018-02-07

Secure headers (recommended)

In the SERVER web.xml (<tomcat>\conf\web.xml) uncomment the following sections

 <filter>
   <filter-name>httpHeaderSecurity</filter-name>
   <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
   <async-supported>true</async-supported>
 </filter>

 <filter-mapping>
   <filter-name>httpHeaderSecurity</filter-name>
   <url-pattern>/*</url-pattern>
 </filter-mapping>

CRSF filter (optional)

The TS platform is bascially safe from CRSF attacks, so this filter is not strictly required.

In the APPLICATION web.xml (<tomcat>\webapps\<app>\WEB_INF\web.xml) add the following sections

 <filter>
   <filter-name>CsrfFilter</filter-name>
   <filter-class>org.apache.catalina.filters.CsrfPreventionFilter</filter-class>
   <init-param>
     <param-name>entryPoints</param-name>
     <param-value>/login,/loginsso,/loginoauth,/mainpublic,/webinterface,/login.do</param-value>
   </init-param>
 </filter>

 <filter-mapping>
   <filter-name>CsrfFilter</filter-name>
   <url-pattern>/*</url-pattern>
 </filter-mapping>

Validating your site

You can use the following services to check the security of your intsallation

Test SSL

Tip: Remember to check "Do not show the results on the boards"

https://www.ssllabs.com/ssltest/

Test Headers

https://tools.geekflare.com/report/header-security-test