Tomcat hardening
Revision as of 18:14, 11 February 2018 by old>Admin (→CRSF filter (optional))
Update tomcat (recommended)
Versions below 8 contain vulnerbilities
Secure SSL ciphers (recommended)
Change the HTTP connector please use the following ciphers (<tomcat>\conf\server.xml)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256
List updated: 2018-02-07
Secure headers (recommended)
In the SERVER web.xml (<tomcat>\conf\web.xml) uncomment the following sections
<filter> <filter-name>httpHeaderSecurity</filter-name> <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class> <async-supported>true</async-supported> </filter>
<filter-mapping> <filter-name>httpHeaderSecurity</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
CRSF filter (optional)
The TS platform is mostly safe from CRSF attacks, so this filter is not strictly required.
In the APPLICATION web.xml (<tomcat>\webapps\<app>\WEB_INF\web.xml) add the following sections
<filter> <filter-name>CsrfFilter</filter-name> <filter-class>org.apache.catalina.filters.CsrfPreventionFilter</filter-class> <init-param> <param-name>entryPoints</param-name> <param-value>/login,/loginsso,/loginoauth,/mainpublic,/webinterface</param-value> </init-param> </filter>
<filter-mapping> <filter-name>CsrfFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
Validating your site
You can use the following services to check the security of your intsallation
Test SSL
Tip: Remember to check "Do not show the results on the boards"
https://www.ssllabs.com/ssltest/