Basic steps to Secure Tomcat 8

1. Change Server Header Response

In server.xml

<Connector port=”80″ protocol=”HTTP/1.1″

2. Undeployed below applications

– / -> Root app which displays Tomcat Welcome page

– /docs -> which shows Tomcat documentation on http://ip/docs

– /examples -> It shows Tomcat examples page on http://ip/examples

3. Restrict access to manager and host-manager apps.

– Open TOMCAT_HOME/webapps/manager/META-INF/context.xml and added below “valve” settings in Context

<Valve className=”org.apache.catalina.valves.RemoteAddrValve”

– Enter IP address or range from which you want to access manager or host-manager app. Also make sure that context has privileged=”true”

4. Changed manager & host-manager apps URL. For this rename TOMCAT_HOME/webapps/manager to TOMCAT_HOME/webapps/<new-name>

5. Redirect Tomcat error pages to custom page.

– Created custom error.jsp & store it in TOMCAT_HOME/webapps/<Application>/ folder

– Open TOMCAT_HOME/webapps/<Application>/WEB-INF/web.xml and go to the end of file, where default error pages have mentioned. for eg.:


And change “/WEB-INF/jsp/401.jsp” to “/error.jsp”

Need to do this inside manager and host-manager apps also.

At the end Restart tomcat to update new changes.

Neelesh Gurjar has written 122 articles