On Fri, Jun 7, 2024 at 10:33 AM Tim Funk <funk...@apache.org> wrote:
> Somewhat related and tangential to the other conversations .... > > Is it worth introducing a system property like > "-Dtomcat.security.harden=true". (Personally not sold yet on the idea) > I think I'm +0 on this. Implementing something like this would be nice because we could leave it off by default and then decide to switch it on at some future date with lots of warnings to users without having to do it via configuration change (that probably wouldn't get picked up by any current installs). > > Then when set to true ... > - It can go nuts with additional SecureLifecycleListener checks > - It can disable all OOTB webapps (ROOT/docs/etc) (Which then requires a > new filter on those webapps) > - Other hardening checks (minimal error pages, server headers, ...) > We could probably include checks that cover a big chunk of what's in the security considerations doc if we really wanted. > > So from a security perspective, it's trivial to enable. But from a > developer getting started perspective, the docs,etc are easy to see? > > > -Tim > > On Thu, Jun 6, 2024 at 10:46 AM Christopher Schultz < > ch...@christopherschultz.net> wrote: > > > All, > > > > I'd like to remove the <!-- and --> around the SecureLifecycleListener > > in conf/server.xml that we bundle with Tomcat distributions. > > > > Before I do so, are there any objections to making this change? > > > > Thanks, > > -chris > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: dev-h...@tomcat.apache.org > > > > >
