BestHub
Sign in
Information Security 10 min read

Top 12 Tomcat Hardening Steps to Secure Your Java Web Server

Learn how to harden Apache Tomcat by disabling default users, removing unnecessary webapps, preventing directory listings, enforcing HttpOnly cookies, securing shutdown ports, hiding version info, disabling auto‑deployment, setting proper file permissions, enabling access logs, customizing error pages, and configuring custom application paths.

BiCaiJia Technology Team
BiCaiJia Technology Team
BiCaiJia Technology Team
Top 12 Tomcat Hardening Steps to Secure Your Java Web Server

1. Disable All Default Users in tomcat-users.xml

Comment out every user entry in $CATALINA_HOME\conf\tomcat-users.xml as shown below:

<tomcat-users>
  <!--
  <role rolename="tomcat"/>
  <role rolename="role1"/>
  <role rolename="manager"/>
  <role rolename="admin"/>
  <user username="tomcat" password="tomcat" roles="tomcat"/>
  <user username="both" password="tomcat" roles="tomcat,role1"/>
  <user username="role1" password="tomcat" roles="role1"/>
  <user username="admin" password="admin" roles="manager"/>
  -->
</tomcat-users>

If business logic requires built‑in Tomcat users, assign appropriate roles and passwords that comply with your password policy. Tomcat role types are:

role1‑gui : read‑only access

tomcat‑gui : read and execute

admin‑gui : read, execute, and write

manager‑gui : remote management

When using enabled Tomcat users, configure a session timeout in $CATALINA_HOME\conf\server.xml as shown in step 5.

2. Remove Default Web Applications

Delete unnecessary applications located in $CATALINA_HOME\webapps such as docs, examples, host‑manager, manager, and ROOT, unless they are required for your deployment.

Verification: Access http://localhost:8080/manager/html; the page should be blank.

3. Disable Directory Listings

Ensure the listings parameter in $CATALINA_HOME\conf\web.xml is set to false:

<init-param>
  <param-name>listings</param-name>
  <param-value>false</param-value>
</init-param>

4. Set HttpOnly Attribute for Cookies

Add useHttpOnly="true" to $CATALINA_HOME\conf\context.xml:

<Context useHttpOnly="true">
  <WatchedResource>WEB-INF/web.xml</WatchedResource>
</Context>

Also configure the web application’s web.xml:

<session-config>
  <cookie-config>
    <http-only>true</http-only>
    <secure>true</secure>
  </cookie-config>
</session-config>

Verification: Use a browser developer tool (e.g., Firebug) to confirm the HttpOnly flag on cookies.

5. Secure the Shutdown Port

In $CATALINA_HOME\conf\server.xml, change the default shutdown command: <Server port="8005" shutdown="SHUTDOWN"> Replace SHUTDOWN with a complex, hard‑to‑guess string and use a port number above 1024:

<Server port="<em>unused_port</em>" shutdown="<em>complex_string</em>">

Verification: Attempt to telnet to the original port (8005) and send the old shutdown command; Tomcat should remain running.

6. Hide Tomcat Version Information

Edit

$CATALINA_HOME\lib\catalina.jar\org\apache\catalina\util\ServerInfo.properties

to replace version details:

server.info=SmartCity
server.number=SmartCity
server.built=20140101

Verification: Trigger an error page and ensure no Tomcat version appears.

7. Disable Automatic WAR Deployment

Modify $CATALINA_HOME\conf\server.xml to prevent auto‑deployment of WAR files:

<Host name="localhost" appBase="webapps"
      unpackWARs="false" autoDeploy="false"
      xmlValidation="false" xmlNamespaceAware="false">

Verification: Drop a WAR file into webapps and restart Tomcat; the WAR should not be deployed.

8. Deploy Tomcat with Limited User Permissions

Create a non‑privileged user for deployment and adjust file permissions:

# Example commands
chmod 750 *
chmod -R 540 bin/*
chmod -R 540 lib/*
chmod -R 640 conf/*

Clear Tomcat caches after permission changes:

# Remove cached work directories
rm -rf work/Catalina/
rm -rf conf/Catalina/

9. Enable Access Logging

Add an AccessLogValve entry to server.xml:

<Valve className="org.apache.catalina.valves.AccessLogValve"
       directory="logs"
       prefix="localhost_access_log"
       suffix=".txt"
       pattern="%h %l %u %t \"%r\" %s %b" />

10. Review Official Security Advisories

Consult the Apache Tomcat security page for the latest vulnerability information: http://tomcat.apache.org/security.html

11. Customize Application Installation Path

In server.xml, define a custom Host and Context to map a virtual path to a physical directory:

<Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="true">
  ...
  <Context path="" docBase="D:/javaweb" debug="0" reloadable="true" crossContext="true" />
</Host>

When path is empty, the virtual directory maps directly to the physical path; if a non‑empty path (e.g., /java) is set, the URL becomes http://<em>host</em>:8080/java.

12. Define Custom Error Pages to Conceal Tomcat Details

Add error‑page mappings in $CATALINA_HOME\conf\web.xml:

<error-page>
  <error-code>404</error-code>
  <location>/404.html</location>
</error-page>
<error-page>
  <error-code>500</error-code>
  <location>/500.html</location>
</error-page>
Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

configurationSecuritytomcatHardening
BiCaiJia Technology Team
Written by

BiCaiJia Technology Team

BiCaiJia Technology Team

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment