This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Talk:Securing tomcat"
From OWASP
(→Network Security) |
(→User Input) |
||
Line 22: | Line 22: | ||
* permission lockdown (see below) | * permission lockdown (see below) | ||
− | + | :I think this section would be more appropriate for apps themselves, rather than applying to the server as a whole. [[User:Stephendv|Stephendv]] 04:24, 16 October 2006 (EDT) |
Revision as of 08:28, 16 October 2006
Installation
- Choose an installation directory (referenced as TOMCAT_DIR from now on), preferably on a different drive to the OS.
- do we get many advantages separating application and webapps? - Darren Edmonds
- it could prevent path traversal under windows, but not unix. Separating apps from OS is common good practice anyway. Stephendv 02:32, 9 October 2006 (EDT)
- Change the default HTTP port to something other than 8080. This ensures less scripted attacks on your server, but in no way helps protect you from vulnerabilities.
- As you say, there's probably not any real benefit to recommending this. Stephendv 02:32, 9 October 2006 (EDT)
Network Security
Generic advice common to all server security (link).
- Not sure what information should go here? Stephendv 04:21, 16 October 2006 (EDT)
User Input
User data, whether it be HTTP headers or parameters, should '"never"' be trusted. It is usually the responsibility of the application to validate data, but it is important that one poorly written application doesn't compromise Tomcat as a whole.
- global filters
- global error pages (see above)
- permission lockdown (see below)
- I think this section would be more appropriate for apps themselves, rather than applying to the server as a whole. Stephendv 04:24, 16 October 2006 (EDT)