Information
The secure attribute is used to convey Connector security status to applications operating over the Connector. This is typically achieved by calling request.isSecure(). Ensure the secure attribute is only set to true for Connectors operating with the SSLEnabled attribute set to true.
Rationale:
Accurately reporting the security state of the Connector will help ensure that applications built on Tomcat are not unknowingly relying on security controls that are not in place.
Solution
For each Connector defined in server.xml, set the secure attribute to true for those Connectors having SSLEnabled set to true. Set the secure attribute to false for those Connectors having SSLEnabled set to false.
<Connector SSLEnabled='true'
...
secure='true'
...
/>
...
<Connector SSLEnabled='false'
...
secure='false'
...
/>
Default Value:
The secure attribute is set to false.