Skip to main content
Skip table of contents

Recommended Tomcat Security Settings

There are a number of security settings that you are recommended to configure in Tomcat.

You can either configure these settings globally for the entire Tomcat installation or individually for each web application.

Step 1 - SameSite Cookies

The first step is to prevent the browser from sending cookies with cross-site requests. See https://owasp.org/www-community/SameSite for more details on why this is important.

This configuration is supported from Tomcat 9.0.21 onwards.

  1. Open one of the following configuration files in a text editor:

    • <tomcat_home>/conf/context.xml (to change the setting globally); or

    • <tomcat_home>/webapps/webapi/META-INF/context.xml (to change the setting for SuperWEB2 only).

  2. Add one of the following lines before the closing </context> tag at the bottom of the file.

    • Either:

      XML 
      <CookieProcessor sameSiteCookies="strict" />

    • Or:

      XML 
      <CookieProcessor sameSiteCookies="lax" />

    You will want to set this value to lax if you expect to use the direct URLs feature, as this will allow cookies to be sent when users follow direct links from third-party websites (which means that users who are already logged in to SuperWEB2 will not have to login again to access the link, and that the guest account can be used automatically if users are not logged in and the resource is accessible to guests). Direct URLs from third-party/external websites will not work if Tomcat is configured to use the strict setting (although direct URLs from a website on the same domain, such as your main website, will continue to work).

  3. Save your changes.

Step 2 - Configure Secure Cookies, Prevent Clickjacking and Block Content Type Sniffing

The next step is to configure secure cookies, set the HttpOnly flag, prevent clickjacking and block content type sniffing. For details on why these settings are important, see: https://owasp.org/www-community/HttpOnly, https://owasp.org/www-community/controls/SecureCookieAttribute, and https://owasp.org/www-community/attacks/Clickjacking.

This configuration is supported from Tomcat 7.0 onwards.

  1. Open one of the following configuration files in a text editor:

    • <tomcat_home>/conf/web.xml (to change the settings globally); or

    • <tomcat_home>/webapps/webapi/WEB-INF/web.xml (to change the settings for SuperWEB2 only).

  2. If you are editing the global file, locate the following section, which is commented out by default:

    XML 
    <!--
    <filter>
        <filter-name>httpHeaderSecurity</filter-name>
        <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
        <async-supported>true</async-supported>
    </filter>
-->

  3. If you are editing the global file, delete the above section and replace it with the following filters. If you are editing the SuperWEB2-specific file, then you can add these filters anywhere before the closing </web-app> tag at the end of the file:

    XML 
        <filter>
        <filter-name>httpHeaderSecurity</filter-name>
        <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
        <async-supported>true</async-supported>
        <init-param>
            <param-name>antiClickJackingEnabled</param-name>
            <param-value>true</param-value>
        </init-param>
        <init-param>
            <param-name>antiClickJackingOption</param-name>
            <param-value>SAMEORIGIN</param-value>
        </init-param>
        <init-param>
            <param-name>blockContentTypeSniffingEnabled</param-name>
            <param-value>true</param-value>
        </init-param>
    </filter>
    <filter-mapping>
        <filter-name>httpHeaderSecurity</filter-name>
        <url-pattern>/*</url-pattern>
        <dispatcher>REQUEST</dispatcher>
    </filter-mapping>

  4. If you are editing the global settings, locate the <session-config> section, which will be similar to the following (this section does not appear by default in the SuperWEB2-specific web.xml file):

    XML 
        <session-config>
        <session-timeout>30</session-timeout>
    </session-config>

  5. Add the following <cookie-config> ... </cookie-config> settings before the closing </session-config> tag (if you are editing the SuperWEB2-specific web.xml file, then add the <session-config> tags with the <cookie-config> settings inside somewhere before the closing </web-app> tag at the end of the file):

    XML 
        <session-config>
        ...
        <cookie-config>
            <http-only>true</http-only>
            <secure>true</secure>
        </cookie-config>
    </session-config>

  6. Save your changes.

This change configures Tomcat to only allow cookies over a secure connection, so you will also need to configure your server to use SSL. SuperWEB2 will not work correctly with secure cookies configured if you attempt to use your deployment over HTTP, except when accessing the site via localhost or 127.0.0.1.

If you want to allow access to your SuperWEB2 internally without using SSL then an alternative is to configure secure cookies at the reverse proxy level, rather than in the Tomcat configuration.

Step 3 - Restart Tomcat or the SuperWEB2 Service

Restart Tomcat or the SuperWEB2 service to apply the above changes.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close