10.11 Force SSL for all applications

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Use the transport-guarantee attribute to ensure SSL protection when accessing all applications. This can be overridden on a per application basis in the application configuration.

Rationale:

By default, when accessing applications SSL will be enforced to protect information sent over the network. By using the transport-guarantee attribute within web.xml, SSL is enforced.

Note: This requires SSL to be configured.

Impact:

If the data protection level is set to INTEGRAL or CONFIDENTIAL, and the client is not already using SSL, then the client is redirected to the same URI, but using port 443 or the port defined for the redirectPort attribute in the <Connector> element in server.xml.

Solution

Set transport-guarantee to CONFIDENTIAL in $CATALINA_HOME/conf/web.xml:

<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>

Default Value:

By default this configuration is not present.

See Also

https://workbench.cisecurity.org/files/3090