Web Security: The important security points in tomcat web application

In this post, I would like to share some of the most important points which I have learned in tomcat security. This isn’t the only list of security points which we should care. My objective is to share what I got to know.

In most of the cases, the default security configuration of tomcat may be adequate, but not when you have eCommerce running on the server & small security implication will have a big impact on your business. Let’s see some of the TO-DO lists to secure tomcat application.

NOTE: Tomcat is not the only defence against cybersecurity threats. There are many other systems, networks, the database needs to be secured.

Non-tomcat security checks:

  • Do not run tomcat server on root user. Create another dedicated user & provide minimum adequate permission to the new user. And, Make sure user should not be able to remotely log on in tomcat server.
  • Have restricted directories. Keep The principle of least privilege in place. Every user should not have access to logs file, process configurations etc.
  • Make sure firewall is configured for the incoming & outgoing connections requests which you expect else deny any other connection request. For instance, proxy servers in load balancing.
  • Keep health check page & internal network tracking of Tomcat applications.

Tomcat server security checks:

  • All default tomcat web apps should be removed. If your web apps named as root then rename it. Root app isn’t safe to use.
  • Enable HTTPS connections even for internal networks which are connecting to the tomcat server un-securely.
  • Disabled tomcat console & default credentials. Some users like to deploy tomcat through the console. 
  • Automatic deployment is easy for deployment, however, it is easy for hackers as well to install a malicious application. Host element has autoDeploy and deployOnStartup. Keep these attributes false.
  • Follow tomcat Securing Management Applications guidelines. 
    • Ensure that any users permitted to access the management application have strong passwords.
    • Do not remove the use of the LockOutRealm which prevents brute force attacks against user passwords.
    • Uncomment the RemoteAddrValve in which limits access to localhost. If remote access is required, limit it to specific IP addresses using this valve. 
  • Disabled the shutdown by setting up port as “-1” or have a strong password in the shutdown process.
  • By default, an HTTP and an AJP connector are configured. Connectors that will not be used should be removed from server.xml.

Web application specific security checks:

  • Restrict POST request & size of the request. An only expected POST request should be allowed.
  • Keep custom error handler & make sure application do not throw big application error & java code in response. It helps hackers to understand the application.
  • Keep validation of every user inputs.
  • Get security testing done before deploying an application in prod.
Advertisements


Categories: tomcat security, web application security, web security, webapps security

Tags: , , , ,

1 reply

Trackbacks

  1. Secure development: How to use third-party javascript securely – Cyber Security: Awareness is the key

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.