13 Essential Tomcat Security Baselines to Harden Your Server

Practical: 13 Tomcat Security Baseline Hardening Checklist

Applicable versions: Tomcat 7/8/9. Configuration path: $CATALINA_HOME/conf/. Operational principles: least privilege, defense in depth, auditability.

Why is Tomcat a high‑risk area?

Because Apache Tomcat’s default configuration is aimed at development and debugging rather than production security. When used directly in production it easily exposes the following risks:

Account permission risk : using root to start Tomcat or leaving default accounts – may lead to privilege escalation and lateral movement.

Access control missing : manager app enabled, directory traversal possible – may allow WebShell upload and sensitive file disclosure.

Information leakage : version number and stack traces exposed – helps attackers choose exploits.

Protocol security flaws : HTTPS not enabled, weak ports used – vulnerable to eavesdropping and man‑in‑the‑middle attacks.

Audit capability lacking : no access logs or error redirects – makes attack tracing impossible.

1. Account and Permission Security

Goal: Ensure tomcat-users.xml contains no test, default, or deprecated accounts.

<!-- conf/tomcat-users.xml -->
<tomcat-users>
  <!-- Ensure the following accounts do not exist -->
  <!-- <user username="tomcat1" password="123456" roles="manager-gui"/> -->
  <!-- <user username="admin" password="<must-be-changed>" roles="admin-gui"/> -->
</tomcat-users>

Recommendation: If the user‑management feature is not needed, delete the file entirely. If retained, enforce password complexity (uppercase, lowercase, digits, special characters) and change placeholders.

2. Run Tomcat as a Non‑Root User

Goal: Tomcat process must not run as root.

ps -ef | grep tomcat
# Expected output: startup user is a regular account (e.g., hlwtv, tomcat)

# Create a dedicated runtime user
useradd -r -s /sbin/nologin tomcat
chown -R tomcat:tomcat $CATALINA_HOME

# Start as the new user
su - tomcat -c "$CATALINA_HOME/bin/startup.sh"

3. Enforce Strong Passwords

Goal: All configuration accounts must meet the enterprise password policy.

<user username="deploy" password="Xx@2025!Pass" roles="manager-script"/>

Compliance: length ≥ 8, includes upper‑case, lower‑case, numbers, special characters; placeholders like <must-be-changed> are prohibited. If no users are defined, the check is considered compliant.

4. Disable the Manager Application

Goal: Remove manager and host-manager apps to prevent WAR upload attacks.

rm -rf $CATALINA_HOME/webapps/manager/
rm -rf $CATALINA_HOME/webapps/host-manager/

Verification: Accessing http://ip:port/manager should return 404 Not Found.

5. Disable Directory Listing

Goal: Prevent users from browsing static resource directories.

<servlet>
  <servlet-name>default</servlet-name>
  <servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
  <init-param>
    <param-name>listings</param-name>
    <param-value>false</param-value>
  </init-param>
  <load-on-startup>1</load-on-startup>
</servlet>

Effect: Accessing /static/ without a default index returns 404 instead of a file list.

6. Disable Dangerous HTTP Methods

Goal: Block PUT, DELETE and other non‑authorized operations.

<servlet>
  <servlet-name>default</servlet-name>
  <servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
  <init-param>
    <param-name>readonly</param-name>
    <param-value>true</param-value>
  </init-param>
</servlet>

Effect: A PUT request returns 405 Method Not Allowed.

7. Enable HTTPS

Goal: Encrypt web traffic with TLS.

<Connector port="8443"
           protocol="org.apache.coyote.http11.Http11NioProtocol"
           SSLEnabled="true"
           scheme="https"
           secure="true"
           clientAuth="false"
           sslProtocol="TLS"
           keystoreFile="conf/keystore/server.keystore"
           keystorePass="changeit"/>

Recommendation: Use Let’s Encrypt or an enterprise CA certificate and disable SSLv3, TLS 1.0/1.1.

8. Change the Default Management Port

Goal: Avoid common ports such as 8080 or 8009.

<Connector port="8044" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8445"/>

Suggestion: Combine with firewall rules to allow only specific IPs.

9‑10. Enable Access Logging and Error Auditing

Goal: Record all access events for security auditing.

<Valve className="org.apache.catalina.valves.AccessLogValve"
       directory="logs"
       prefix="access_log"
       suffix=".txt"
       pattern="%h %l %u %t \"%r\" %s %b %T"
       resolveHosts="false"/>

Log fields: %h client IP, %r request line, %s status code, %T response time (seconds).

11. Configure Custom Error Pages

Goal: Prevent exposure of stack traces, class names, and paths.

<error-page>
  <error-code>404</error-code>
  <location>/404.html</location>
</error-page>
<error-page>
  <error-code>403</error-code>
  <location>/403.html</location>
</error-page>
<error-page>
  <error-code>500</error-code>
  <location>/500.html</location>
</error-page>
<error-page>
  <exception-type>java.lang.NullPointerException</exception-type>
  <location>/error.html</location>
</error-page>

Advice: Keep error page content minimal and free of version or server information.

12. Hide Server Banner

Goal: Prevent attackers from fingerprinting the Tomcat version.

jar -xf catalina.jar org/apache/catalina/util/ServerInfo.properties
# Edit the file to:
server.info=Apache Tomcat
server.number=0.0.0.0
server.built=unknown
jar -uf catalina.jar org/apache/catalina/util/ServerInfo.properties

Verification: curl -I http://ip:port should return Server: Apache Tomcat without version details.

13. Set Reasonable Connection Limits

Goal: Prevent DDOS or connection‑pool exhaustion.

<Connector port="8044"
           maxThreads="100"
           minSpareThreads="25"
           maxConnections="200"
           connectionTimeout="20000"/>

Recommendation: Adjust values according to server capacity to avoid OOM.

Verification Checklist (Ensuring Compliance)

Account security – check tomcat-users.xml for default accounts.

Startup privilege – ps -ef | grep tomcat should show a non‑root user.

Manager disabled – curl /manager returns 404.

Directory listing disabled – accessing static directories does not show file lists.

HTTPS functional – curl -k https://ip:8443 succeeds.

Access logs present – tail -f logs/access_log* shows entries.

Custom error pages – curl /nonexistent redirects to the defined page.

Server header hidden – curl -I http://ip:port shows no version info.

Conclusion

The 13‑item Tomcat security baseline provides a comprehensive framework covering identity and permission management, access control, communication security, auditability, information hiding, and resource management. Implementing these controls reduces attack surface, raises attacker effort, and establishes a default‑secure posture for your Java web applications.