Security Best Practices
If you are using Apache Tomcat for deploying the war file, TIBCO recommends that you abide by the following best practices for production use:
- Configure the server to remove the server banner from the HTTP header.
- Ensure that you disable the public access to the examples directory. You might want to delete the examples to keep the directory clean and avoid any known security risk with the default Tomcat application.
- Start the server with the Tomcat security manager.
- To secure the application, enable SSL or TLS and enforce HTTPS.
- Add
secure and
http-only flag to Cookie. This can be done by adding the following code in the session-config section of the
web.xml file:
<cookie-config> <http-only>true</http-only> <secure>true</secure> </cookie-config> - Change the Tomcat shutdown port and default command to something unpredictable. Modify the following code in the
server.xml file:
<Server port="8005" shutdown="SHUTDOWN">
- Use custom error pages to replace default 403, 404, and 500 pages.
Copyright © 2021. Cloud Software Group, Inc. All Rights Reserved.