10.12 Force SSL for all applications

Information

Use the transport-guarantee attribute to ensure SSL protection when accessing all applications. This can be overridden on a per application basis in the application configuration.

Rationale:

By default, when accessing applications SSL will be enforced to protect information sent over the network. By using the transport-guarantee attribute within web.xml, SSL is enforced.

Note: This requires SSL to be configured.

Solution

Set transport-guarantee to CONFIDENTIAL in $CATALINA_HOME/conf/web.xml:

<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
<user-data-constraint>

Impact:

If the data protection level is set to INTEGRAL or CONFIDENTIAL, and the client is not already using SSL, then the client is redirected to the same URI, but using port 443 or the port defined for the redirectPort attribute in the <Connector> element in server.xml.

Default Value:

By default this configuration is not present.

References:

https://www.owasp.org/index.php/Securing_tomcat

See Also

https://workbench.cisecurity.org/files/2506

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-8, CSCv7|14.4

Plugin: Unix

Control ID: ec63cf4121e11221674fb06a4a727f453f23cf6c2a933fd136a6e75f22c1eb5c