6.4 Ensure secure is set to true only for SSL-enabled Connectors - verify secure is set to true

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

The secure attribute is used to convey Connector security status to applications operating over the Connector. This is typically achieved by calling request.isSecure(). Ensure the secure attribute is only set to true for Connectors operating with the SSLEnabled attribute set to true.

Rationale:

Accurately reporting the security state of the Connector will help ensure that applications built on Tomcat are not unknowingly relying on security controls that are not in place.

Solution

For each Connector defined in server.xml, set the secure attribute to true for those Connectors having SSLEnabled set to true. Set the secure attribute to false for those Connectors having SSLEnabled set to false.

<Connector SSLEnabled='true'
...
secure='true'
...
/>
...
<Connector SSLEnabled='false'
...
secure='false'
...
/>

Default Value:

The secure attribute is set to false.

See Also

https://workbench.cisecurity.org/files/3090