Difference between revisions of "Tomcat hardening"

From TempusServa wiki
Jump to navigation Jump to search
old>Admin
old>Admin
Line 26: Line 26:


=== CRSF filter (optional) ===
=== CRSF filter (optional) ===
The TS platform is mostly safe from CRSF attacks, so this filter is not strictly required.
The TS platform is allrady safe from CRSF attacks, so this filter is not strictly required.


In the APPLICATION web.xml (<tomcat>\webapps\<app>\WEB_INF\web.xml) add the following sections
The TS implemetation does not use rotating or pagespecific CRSF tokens, so if additional security is needed use the [https://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project OWASP implementation].
 
  <filter>
    <filter-name>CsrfFilter</filter-name>
    <filter-class>org.apache.catalina.filters.CsrfPreventionFilter</filter-class>
    <init-param>
      <param-name>entryPoints</param-name>
      <param-value>/login,/loginsso,/loginoauth,/mainpublic,/webinterface</param-value>
    </init-param>
  </filter>
 
  <filter-mapping>
    <filter-name>CsrfFilter</filter-name>
    <url-pattern>/*</url-pattern>
  </filter-mapping>


=== Validating your site ===
=== Validating your site ===

Revision as of 14:51, 14 February 2018


Update tomcat (recommended)

Versions below 8 contain vulnerbilities

Secure SSL ciphers (recommended)

Change the HTTP connector please use the following ciphers (<tomcat>\conf\server.xml)

 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256

List updated: 2018-02-07

Secure headers (recommended)

In the SERVER web.xml (<tomcat>\conf\web.xml) uncomment the following sections

 <filter>
   <filter-name>httpHeaderSecurity</filter-name>
   <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
   <async-supported>true</async-supported>
 </filter>
 <filter-mapping>
   <filter-name>httpHeaderSecurity</filter-name>
   <url-pattern>/*</url-pattern>
 </filter-mapping>

CRSF filter (optional)

The TS platform is allrady safe from CRSF attacks, so this filter is not strictly required.

The TS implemetation does not use rotating or pagespecific CRSF tokens, so if additional security is needed use the OWASP implementation.

Validating your site

You can use the following services to check the security of your intsallation

Test SSL

Tip: Remember to check "Do not show the results on the boards"

https://www.ssllabs.com/ssltest/

Test Headers

https://tools.geekflare.com/report/header-security-test