6.4 Ensure secure is set to true only for SSL-enabled Connectors

Information

The secure attribute is used to convey Connector security status to applications operating over the Connector. This is typically achieved by calling request.isSecure(). Ensure the secure attribute is only set to true for Connectors operating with the SSLEnabled attribute set to true.

Rationale:

Accurately reporting the security state of the Connector will help ensure that applications built on Tomcat are not unknowingly relying on security controls that are not in place.

Solution

For each Connector defined in server.xml, set the secure attribute to true for those Connectors having SSLEnabled set to true. Set the secure attribute to false for those Connectors having SSLEnabled set to false.

<Connector SSLEnabled='true'
...
secure='true'
...
/>
...
<Connector SSLEnabled='false'
...
secure='false'
...
/>

Default Value:

The secure attribute is set to false.

See Also

https://workbench.cisecurity.org/benchmarks/11652

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-8, CSCv7|14.4

Plugin: Unix

Control ID: e89979a4294f589d0134a9817152f9f89ff086cb6326b1c81d65d260e8659a01