Hi guys,

our application security team recommended that we make 3 changes to enhance our application's security:

1. Ensure that the secure flag is set for cookies.
2. Ensure that the HTTPOnly flag is set for cookies
3. Disable all unnecessary methods in the web server config (PUT and DELETE)

To implement we did the following:

1.
In D:\apache\apache-tomcat-7.0.55 open the server.xml file.
Add below parameter (in bold) in server.xml under Connector port syntax:

<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="60000"
redirectPort="8443"
secure="true"/>

2.
In In D:\apache\apache-tomcat-7.0.55\conf open the context.xml file.
Add the below parameter in context.xml after Context:

<Context useHttpOnly="true">

3.
In In D:\apache\apache-tomcat-7.0.55\conf open the web.xml file.
insert a <security-constraint> element directly under the <web-app> element:


<security-constraint>
<web-resource-collection>
<web-resource-name>restricted methods</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint />
</security-constraint>

After we applied the above we rebooted the application server.
Since then though we have been unable to login to Clarity.

Can anyone please advise? Thanks.