5 Best Security Practices for Tomcat Servers

Harsh Gala Developer Tips, Tricks & Resources

Tomcat servers are widely used application servers for today’s development architectures, popular for hosting Java based applications. Below is a guide on best security practices for security your Tomcat Server environment.

1. Beware of Banner Grabbing

What is banner grabbing?

Banner grabbing is the process of gaining information from computer systems including services, open ports, version, etc.


New call-to-action

How banner grabbing affects tomcat?

When sending a server host request via telnet command, you pass along the server name, port, and version. This makes it easy for an attacker to use the displayed information and use the web server error pages to discover vulnerabilities and attack.

2. Disable Weak Ciphers and Protocols

What is Cipher?

In cryptology, a cipher is an algorithm for encrypting and decrypting data. In other words, a cipher is a method of hiding words or text with encryption by replacing original letters with other letters, numbers and symbols through substitution or transposition.

By enabling strong cipher suites and protocols,  improve security and reduce the risk of cyber security attacks. For example; TLS 1.3 is much better, faster and secure compared to TLS 1.2. Advantages of TLS 1.3 can improve your server performance and security.

Steps to disable weak ciphers

Backup server.xml file

1. Open this file for edit

2. Look for this line in the server.xml file

  <!– HTTPS Connector added by Automation API Installation –>

  <Connector port=”8443″ protocol=”org.apache.coyote.http11.Http11Protocol” SSLEnabled=”true”

  maxThreads=”150″ scheme=”https” secure=”true” clientAuth=”false” sslProtocol=”TLS” keystoreFile=”conf/emweb_unsigned.keystore” keystorePass=”empass” />

3. Add the following line to disable the weak ciphers:

  ciphers=”<Required ciphers List”/>

  For example, to disable the 3DES and RC4 ciphers, add the following:

ciphers=”TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA” />

4.Restart Tomcat server.

3. Enable redirection and fix mix content

Redirection enhances security and provides encryption, with your website is displayed with a padlock sign. 

Below is the redirection code used in tomcat: 

  <security-constraint>  

       <web-resource-collection>  

          <web-resource-name>SECURE</web-resource-name>  

  <url-pattern>/*</url-pattern>  

         </web-resource-collection>  

  <user-data-constraint>  

  <transport-guarantee>CONFIDENTIAL</transport-guarantee>  

    </user-data-constraint>  

    </security-constraint>  

Mix content issues occur when some content loaded on the URL is not on https. Your website should not have any resources coming from HTTP. For better security practice, always try to fix mixed content errors when you come across any.

Below is the image which is seen when there is a mix content issue

4. Secure Tomcat Server

You may be using Tomcat servers in your production environment, backup environment, or test environment. Securing any environment is the best approach to follow. One way to secure your Tomcat server is to install SSL certificate on tomcat servers to protect all data in transit. Another way is to remove unsecured connectors from $tomcat/server.xml.

5. Enable Security through Monitoring

Monitoring the server for the availability and response time along with logs should be done regularly in order to track performance, CPU utilization, disk utilization, memory utilization, running services and processes.

Including an Application Performance Management tools, such as Stackify Retrace, allows users to accelerate application performance with centralized logging and error tracking.  

To learn more about monitoring Tomcat, check out our Step by Step Guide to Tomcat Performance Monitoring.