In this post, I would like to share some of the most important points which I have learned in tomcat security. This isn’t the only list of security points which we should care, however, my objective is to share what I got to know.
In most of the cases, the default security configuration of tomcat may be adequate, but not when you have eCommerce running on the server & small security implication will have a big impact on your business. Let’s see some of the TO-DO lists to secure tomcat application.
NOTE: Tomcat is not the only defence against cybersecurity threats. There are many other systems, networks, the database needs to be secured.
Non-tomcat security checks:
- Do not run tomcat server on root user. Create another dedicated user & provide minimum adequate permission to the new user. And, Make sure user should not be able to remotely log on in tomcat server.
- Have restricted directories. Keep The principle of least privilege in place. Every user should not have access to logs file, process configurations etc.
- Make sure firewall is configured for the incoming & outgoing connections requests which you expect else deny any other connection request. For instance, proxy servers in load balancing.
- Keep health check page & internal network tracking of Tomcat applications.
Tomcat server security checks:
- All default tomcat web apps should be removed. If your web apps named as root then rename it. Root app isn’t safe to use.
- Enable HTTPS connections even for internal networks which are connecting to the tomcat server un-securely.
- Disabled tomcat console & default credentials. Some users like to deploy tomcat through the console.
- Automatic deployment is easy for deployment, however, it is easy for hackers as well to install a malicious application. Host element has autoDeploy and deployOnStartup. Keep these attributes false.
- Follow tomcat Securing Management Applications guidelines.
- Ensure that any users permitted to access the management application have strong passwords.
- Do not remove the use of the LockOutRealm which prevents brute force attacks against user passwords.
- Uncomment the RemoteAddrValve in which limits access to localhost. If remote access is required, limit it to specific IP addresses using this valve.
- Disabled the shutdown by setting up port as “-1” or have a strong password in the shutdown process.
- By default, an HTTP and an AJP connector are configured. Connectors that will not be used should be removed from server.xml.
Web application specific security checks:
- Restrict POST request & size of the request. An only expected POST request should be allowed.
- Keep custom error handler & make sure application do not throw big application error & java code in response. It helps hackers to understand the application.
- Keep validation of every user inputs.
- Get security testing done before deploying an application in prod.