# Hardening Tomcat

### <span class="mw-headline" id="bkmrk-secure-ssl-ciphers-1">Secure SSL ciphers</span>

If you are running your Tomcat installation behind a reverse proxy, these recommendations will not be needed, as Tomcat is not terminating SSL/TLS.

Change the HTTP connector please use the following ciphers (&lt;tomcat&gt;\\conf\\server.xml)

```
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256
```

List updated: 2018-02-07

### <span class="mw-headline" id="bkmrk-secure-headers-1">Secure headers</span>

<span class="mw-headline">If you are running your Tomcat installation behind a reverse proxy, these recommendations will not be needed, as Tomcat is not terminating SSL/TLS.</span>

In the SERVER web.xml (&lt;tomcat&gt;\\conf\\web.xml) uncomment the following sections

```xml
<filter>
  <filter-name>httpHeaderSecurity</filter-name>
  <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
  <async-supported>true</async-supported>
  <init-param>
    <param-name>antiClickJackingOption</param-name>
    <param-value>SAMEORIGIN</param-value>
  </init-param>
</filter>
```

```xml
<filter-mapping>
  <filter-name>httpHeaderSecurity</filter-name>
  <url-pattern>/*</url-pattern>
</filter-mapping>
```

### <span class="mw-headline" id="bkmrk-additional-crsf-filt-1">Additional CRSF filtering</span>

The TS platform is already safe from CRSF attacks. CRSF tokens are generated at login and required for all data altering transactions.

The TS implementation does not use rotating or page specific CRSF tokens, so if additional security is needed use the [OWASP implementation](https://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project).

### <span id="bkmrk-"></span><span class="mw-headline" id="bkmrk-additional-security--1">Additional security filters</span>

Tempus Serva comes with multiple additional security features

- Lock user session to IP
- Lock service to listed countries
- Use passcode sent by SMS

The filters are activated by uncommenting the code in the applications /WEB-INF/web.xml.

Note that the filters can be set any part of the application: login, designer, webinterface and rest.

### <span class="mw-headline" id="bkmrk-validating-your-site-1">Validating your site</span>

You can use the following services to check the security of your installation

#### <span class="mw-headline" id="bkmrk-test-ssl-1">Test SSL</span>

Tip: Remember to check "Do not show the results on the boards"

[https://www.ssllabs.com/ssltest/](https://www.ssllabs.com/ssltest/)

[https://sikkerpånettet.dk/](https://xn--sikkerpnettet-vfb.dk/)

#### <span class="mw-headline" id="bkmrk-test-headers-1">Test Headers</span>

[https://tools.geekflare.com/report/header-security-test](https://tools.geekflare.com/report/header-security-test)