This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

Talk:Securing tomcat

Revision as of 08:21, 16 October 2006 by Stephendv (talk | contribs)

Jump to: navigation, search


  • Choose an installation directory (referenced as TOMCAT_DIR from now on), preferably on a different drive to the OS.
 do we get many advantages separating application and webapps? 
  - it could prevent path traversal under windows, but not unix.  Separating apps from OS is common good practice anyway.  Stephendv 02:32, 9 October 2006 (EDT)
  • Change the default HTTP port to something other than 8080. This ensures less scripted attacks on your server, but in no way helps protect you from vulnerabilities.
  - As you say, there's probably not any real benefit to recommending this.  Stephendv 02:32, 9 October 2006 (EDT)

Network Security

Generic advice common to all server security (link).

- Not sure what information should go here? Stephendv 04:21, 16 October 2006 (EDT)

User Input

User data, whether it be HTTP headers or parameters, should '"never"' be trusted. It is usually the responsibility of the application to validate data, but it is important that one poorly written application doesn't compromise Tomcat as a whole.

  • global filters
  • global error pages (see above)
  • permission lockdown (see below)
 - I think this section would be more appropriate for apps themselves, rather than applying to the server as a whole.