Difference between revisions of "Tomcat hardening"
Jump to navigation
Jump to search
old>Admin |
old>Admin |
||
Line 30: | Line 30: | ||
The TS implemetation does not use rotating or pagespecific CRSF tokens, so if additional security is needed use the [https://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project OWASP implementation]. | The TS implemetation does not use rotating or pagespecific CRSF tokens, so if additional security is needed use the [https://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project OWASP implementation]. | ||
=== | === Additional security filters (optional) === | ||
* Restrict usage to certain countries | |||
=== Lock user session to IP (optional) === | === Lock user session to IP (optional) === |
Revision as of 14:55, 14 February 2018
Update tomcat (recommended)
Versions below 8 contain vulnerbilities
Secure SSL ciphers (recommended)
Change the HTTP connector please use the following ciphers (<tomcat>\conf\server.xml)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256
List updated: 2018-02-07
Secure headers (recommended)
In the SERVER web.xml (<tomcat>\conf\web.xml) uncomment the following sections
<filter> <filter-name>httpHeaderSecurity</filter-name> <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class> <async-supported>true</async-supported> </filter>
<filter-mapping> <filter-name>httpHeaderSecurity</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
Additional CRSF filtering (optional)
The TS platform is allrady safe from CRSF attacks. CRSF tokens are generated at login and required for all data altering transactions.
The TS implemetation does not use rotating or pagespecific CRSF tokens, so if additional security is needed use the OWASP implementation.
Additional security filters (optional)
- Restrict usage to certain countries
Lock user session to IP (optional)
Use passcode sent by SMS (optional)
Validating your site
You can use the following services to check the security of your intsallation
Test SSL
Tip: Remember to check "Do not show the results on the boards"
https://www.ssllabs.com/ssltest/