This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/9.0.x by this push: new d971a970c3 Alphabetical order for Connector attributes d971a970c3 is described below commit d971a970c3a7b4a825e78844a851dce16462dac2 Author: Mark Thomas <ma...@apache.org> AuthorDate: Tue Jul 1 08:47:57 2025 +0100 Alphabetical order for Connector attributes --- webapps/docs/security-howto.xml | 38 +++++++++++++++++++------------------- 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/webapps/docs/security-howto.xml b/webapps/docs/security-howto.xml index cbb2ed5f72..4cd7375228 100644 --- a/webapps/docs/security-howto.xml +++ b/webapps/docs/security-howto.xml @@ -292,6 +292,14 @@ non-default value when behind a reverse proxy may enable an attacker to bypass any security constraints enforced by the proxy.</p> + <p>The <strong>maxParameterCount</strong> attribute controls the maximum + total number of request parameters (including uploaded files) obtained + from the query string and, for POST requests, the request body if the + content type is <code>application/x-www-form-urlencoded</code> or + <code>multipart/form-data</code>. Excessive parameters are ignored. If you + want to reject such requests, configure a + <a href="config/filter.html">FailedRequestFilter</a>.</p> + <p>The <strong>maxPartCount</strong> attribute controls the maximum number of parts supported for a multipart request. This is limited to 50 by default to reduce exposure to a DoS attack. The documentation for @@ -318,22 +326,9 @@ the <a href="config/valve.html#Form_Authenticator_Valve">FORM authenticator</a>.</p> - <p>The <strong>maxParameterCount</strong> attribute controls the maximum - total number of request parameters (including uploaded files) obtained - from the query string and, for POST requests, the request body if the - content type is <code>application/x-www-form-urlencoded</code> or - <code>multipart/form-data</code>. Excessive parameters are ignored. If you - want to reject such requests, configure a - <a href="config/filter.html">FailedRequestFilter</a>.</p> - - <p>The <strong>xpoweredBy</strong> attribute controls whether or not the - X-Powered-By HTTP header is sent with each request. If sent, the value of - the header contains the Servlet and JSP specification versions, the full - Tomcat version (e.g. Apache Tomcat/<version-major-minor/>), the name of - the JVM vendor and - the version of the JVM. This header is disabled by default. This header - can provide useful information to both legitimate clients and attackers. - </p> + <p>The <strong>requiredSecret</strong> attribute in AJP connectors + configures shared secret between Tomcat and reverse proxy in front of + Tomcat. It is used to prevent unauthorized connections over AJP protocol.</p> <p>The <strong>server</strong> attribute controls the value of the Server HTTP header. The default value of this header for Tomcat 4.1.x to @@ -361,9 +356,14 @@ proxy (the authenticated user name is passed to Tomcat as part of the AJP protocol) with the option for Tomcat to still perform authorization.</p> - <p>The <strong>requiredSecret</strong> attribute in AJP connectors - configures shared secret between Tomcat and reverse proxy in front of - Tomcat. It is used to prevent unauthorized connections over AJP protocol.</p> + <p>The <strong>xpoweredBy</strong> attribute controls whether or not the + X-Powered-By HTTP header is sent with each request. If sent, the value of + the header contains the Servlet and JSP specification versions, the full + Tomcat version (e.g. Apache Tomcat/<version-major-minor/>), the name of + the JVM vendor and + the version of the JVM. This header is disabled by default. This header + can provide useful information to both legitimate clients and attackers. + </p> </subsection> <subsection name="Host"> --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org