Basic steps to Secure Tomcat 8

1. Change Server Header Response

In server.xml

<Connector port=”80″ protocol=”HTTP/1.1″
connectionTimeout=”20000″
redirectPort=”8443″
server=”<WhatEverYouWant2Show>”/>

2. Undeployed below applications

– / -> Root app which displays Tomcat Welcome page

– /docs -> which shows Tomcat documentation on http://ip/docs

– /examples -> It shows Tomcat examples page on http://ip/examples

3. Restrict access to manager and host-manager apps.

– Open TOMCAT_HOME/webapps/manager/META-INF/context.xml and added below “valve” settings in Context

<Valve className=”org.apache.catalina.valves.RemoteAddrValve”
allow=”XXX.XXX.XXX.XXX”/>


– Enter IP address or range from which you want to access manager or host-manager app. Also make sure that context has privileged=”true”


4. Changed manager & host-manager apps URL. For this rename TOMCAT_HOME/webapps/manager to TOMCAT_HOME/webapps/<new-name>


5. Redirect Tomcat error pages to custom page.

– Created custom error.jsp & store it in TOMCAT_HOME/webapps/<Application>/ folder

– Open TOMCAT_HOME/webapps/<Application>/WEB-INF/web.xml and go to the end of file, where default error pages have mentioned. for eg.:

<error-page>
<error-code>401</error-code>
<location>/WEB-INF/jsp/401.jsp</location>
</error-page>

And change “/WEB-INF/jsp/401.jsp” to “/error.jsp”


Need to do this inside manager and host-manager apps also.


At the end Restart tomcat to update new changes.



Neelesh Gurjar has written 122 articles