10.6 Enable strict servlet Compliance

Information

The STRICT_SERVLET_COMPLIANCE influences Tomcat's behavior in several subtle ways. See the References below for the complete list. It is recommended that STRICT_SERVLET_COMPLIANCE be set to true.

Rationale:

When STRICT_SERVLET_COMPLIANCE is set to true, Tomcat will always send an HTTP Content-type header when responding to requests. This is significant as the behavior of web browsers is inconsistent in the absence of the Content-type header. Some browsers will attempt to determine the appropriate content-type by sniffing

Solution

To start Tomcat with strict compliance enabled, add -Dorg.apache.catalina.STRICT_SERVLET_COMPLIANCE=true the to the startup script.

Impact:

Changing this to true will change a number of other default values which is likely to break the majority of systems as some browsers are unable to correctly handle the cookie headers that result from a strict adherence to the specifications. Please refer to the referenced documentation for a complete list of changed values. Defaults, regardless of whether or not they have been changed by setting org.apache.catalina.STRICT_SERVLET_COMPLIANCE can always be overridden by explicitly setting the appropriate system property or element attribute.

Default Value:

By default value is false.

References:

https://tomcat.apache.org/tomcat-8.0-doc/config/systemprops.html

See Also

https://workbench.cisecurity.org/files/2506

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b., CSCv6|3.1

Plugin: Unix

Control ID: f7c0b8ff69d6d438d9ebbaad77da5b4e4cd12dce768035aecc9ca13e753ac98e