our application security team recommended that we make 3 changes to enhance our Clarity application's security:
1. Ensure that the secure flag is set for cookies.
2. Ensure that the HTTPOnly flag is set for cookies
3. Disable all unnecessary methods in the web server config (PUT and DELETE)
To implement we did the following:
In D:\apache\apache-tomcat-7.0.55 open the server.xml file.
Add below parameter (in bold) in server.xml under Connector port syntax:
<Connector port="8080" protocol="HTTP/1.1"
In In D:\apache\apache-tomcat-7.0.55\conf open the context.xml file.
Add the below parameter in context.xml after Context:
In In D:\apache\apache-tomcat-7.0.55\conf open the web.xml file.
insert a <security-constraint> element directly under the <web-app> element:
After we applied the above we rebooted the application server.
Since then though we have been unable to login to Clarity.
Can anyone please advise? Thanks.
There is an option in PPM to do it via csa
Thank you Suman.
We actually figured out the problem and it didn't have anything to do with the changes made to the Tomcat config.
Your tip is useful to know though as it is a lot "cleaner" to make this change in the CSA, rather than by editing files.