This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit d03a4f4c0733f15b78aa9dfef1593b8e213b4a3b
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Tue Jul 1 09:34:19 2025 +0100
Add rejectSuspiciousURIs
---
webapps/docs/security-howto.xml | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/webapps/docs/security-howto.xml b/webapps/docs/security-howto.xml
index e827f186d3..d5fbc330cd 100644
--- a/webapps/docs/security-howto.xml
+++ b/webapps/docs/security-howto.xml
@@ -302,6 +302,12 @@
the <a href="config/valve.html#Form_Authenticator_Valve">FORM
authenticator</a>.</p>
+ <p>The <strong>rejectSuspiciousURIs</strong> attribute can be used to
+ reject valid URIs that contain patterns that are often used by malicious
+ clients to mount attacks using techniques such as directory traversal.
+ Note that this attribute is <code>false</code> by default as there is
some
+ overlap betweeen suspicious URIs and legitimate usage.</p>
+
<p>The <strong>requiredSecret</strong> attribute in AJP connectors
configures shared secret between Tomcat and reverse proxy in front of
Tomcat. It is used to prevent unauthorized connections over AJP
protocol.</p>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
