Though useful for debugging, enabling allowTrace can expose some browsers to an cross-site scripting XSS attack. If the port must be kept open, be sure to configure a strong password for shutdown. Either disable the shutdown port by setting the port attribute in the server.xml file to -1. This prevents malicious actors from shutting down Tomcat's web services. Put Tomcat's Shutdown Procedure on Lockdown Tomcat's examples web application is an application that should be removed to prevent exploitation. These applications have been known to harbor vulnerabilities, and should be removed if not in use. Most web server platforms also provide a set of sample or test web application for demo and learning purposes. Remove Any Default Sample or Test Web Applications In Tomcat's case, a user with the minimum necessary OS permissions should be created exclusively to run the Tomcat process. ![]() Web-related services should not be run by user accounts with a high level of administrative access. This line of advice applies to most web server platforms. The following are 15 way to secure Apache Tomcat 8, out-of-the-box. ![]() Currently at version 8, the popular web server has not been without its security flaws, perhaps most famously publicized in this incident of aircraft hacking by security researcher Chris Roberts earlier this year. However, hardening Tomcat's default configuration is just plain good security sense-even if you don't plan on using it on your plane's network. Apache Tomcat is the leading Java application server by market share and the world's most widely used web application server overall.
0 Comments
Leave a Reply. |