0

I have a web project deployed in Tomcat.
I have run various tests including security tool tests.
One of the tests reported that using OPTIONS it was possible to detect acceptable HTTP requests per application URL.
My question is how can I disable this feature?
I am not sure why this happens. The servlets implement the POST but not the rest of the methods.
Is this programming issue? Should I have overriden doOptions for example, or can I configure something in Tomcat instance and get away with it?

Thanks

Cratylus
  • 52,998
  • 69
  • 209
  • 339

1 Answers1

1

I think that the best solution is to hide Tomcat behind a hardened reverse proxy. You can pass your whole http(s) traffic through a security proxy. It can detect the attempts of attacks and block them. It can perform access control and terminate SSL. For example WebSphere DataPower or WebSEAL can be used as such a proxy. You can even use Apache HTTP Server for this purpose. enter image description here

zacheusz
  • 8,750
  • 3
  • 36
  • 60
  • May be I am wrong but I think that for Tomcat the most sutable is Apache HTTP?Also how easy is it to add a reverse proxy in an already deployed environment? – Cratylus Jul 11 '11 at 21:29
  • Yes - we can discuss about Apache HTTP, but I have no doubt about such solutions as DataPower appliance. There are lots of depolyment scenarios but they are not very complicated. You don't have to make large changes in Tomcat (if any at all). – zacheusz Jul 11 '11 at 21:34
  • Do you have a reference I can look into or do you have a suggestion on this? – Cratylus Jul 11 '11 at 21:37
  • Here are slides about DataPower Web application firewall: http://www.scribd.com/doc/58449311/9/DataPower-Web-Application-Firewall This is detailed instruction how to implement it using DataPower: http://www.ibm.com/developerworks/websphere/library/techarticles/0712_sheikh/0712_sheikh.html (I've implemented such solutions using DataPower and WebSEAL at my own.) – zacheusz Jul 11 '11 at 21:45
  • Maybe you can also look here http://en.wikipedia.org/wiki/Application_firewall#Web_application_firewalls – zacheusz Jul 11 '11 at 21:52