This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 8d7378ee09648b5a6b7c81d5986cf634a2d6eaa6
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Tue Jul 1 08:47:57 2025 +0100
Alphabetical order for Connector attributes
---
webapps/docs/security-howto.xml | 36 ++++++++++++++++++------------------
1 file changed, 18 insertions(+), 18 deletions(-)
diff --git a/webapps/docs/security-howto.xml b/webapps/docs/security-howto.xml
index 661c614aa2..e827f186d3 100644
--- a/webapps/docs/security-howto.xml
+++ b/webapps/docs/security-howto.xml
@@ -271,6 +271,13 @@
will interpret as UTF-7 a response containing characters that are safe
for
ISO-8859-1 but trigger an XSS vulnerability if interpreted as UTF-7.</p>
+ <p>The <strong>maxParameterCount</strong> attribute controls the maximum
+ total number of request parameters (including uploaded files) obtained
+ from the query string and, for POST requests, the request body if the
+ content type is <code>application/x-www-form-urlencoded</code> or
+ <code>multipart/form-data</code>. Requests with excessive parameters are
+ rejected.</p>
+
<p>The <strong>maxPartCount</strong> attribute controls the maximum
number
of parts supported for a multipart request. This is limited to 50 by
default to reduce exposure to a DoS attack. The documentation for
@@ -295,21 +302,9 @@
the <a href="config/valve.html#Form_Authenticator_Valve">FORM
authenticator</a>.</p>
- <p>The <strong>maxParameterCount</strong> attribute controls the maximum
- total number of request parameters (including uploaded files) obtained
- from the query string and, for POST requests, the request body if the
- content type is <code>application/x-www-form-urlencoded</code> or
- <code>multipart/form-data</code>. Requests with excessive parameters are
- rejected.</p>
-
- <p>The <strong>xpoweredBy</strong> attribute controls whether or not the
- X-Powered-By HTTP header is sent with each request. If sent, the value of
- the header contains the Servlet and JSP specification versions, the full
- Tomcat version (e.g. Apache Tomcat/<version-major-minor/>), the name of
- the JVM vendor and
- the version of the JVM. This header is disabled by default. This header
- can provide useful information to both legitimate clients and attackers.
- </p>
+ <p>The <strong>requiredSecret</strong> attribute in AJP connectors
+ configures shared secret between Tomcat and reverse proxy in front of
+ Tomcat. It is used to prevent unauthorized connections over AJP
protocol.</p>
<p>The <strong>server</strong> attribute controls the value of the Server
HTTP header. The default value of this header for Tomcat 4.1.x to
@@ -337,9 +332,14 @@
proxy (the authenticated user name is passed to Tomcat as part of the AJP
protocol) with the option for Tomcat to still perform authorization.</p>
- <p>The <strong>requiredSecret</strong> attribute in AJP connectors
- configures shared secret between Tomcat and reverse proxy in front of
- Tomcat. It is used to prevent unauthorized connections over AJP
protocol.</p>
+ <p>The <strong>xpoweredBy</strong> attribute controls whether or not the
+ X-Powered-By HTTP header is sent with each request. If sent, the value of
+ the header contains the Servlet and JSP specification versions, the full
+ Tomcat version (e.g. Apache Tomcat/<version-major-minor/>), the name of
+ the JVM vendor and
+ the version of the JVM. This header is disabled by default. This header
+ can provide useful information to both legitimate clients and attackers.
+ </p>
</subsection>
<subsection name="Host">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
