I find it quite surprising that you are worried about security for a version that is so old (latest Tomcat on the 7.0.x branch is 7.0.103). Proper security practices call for using latest versions where security issues might be resolved.
From: Victor Rodriguez <victropo...@gmail.com> Sent: Friday, March 27, 2020 11:55 AM To: dev@tomcat.apache.org Subject: Malicious Headers We are using Fortify, which is a static code analysis tool to find vulnerabilities in your code and it's saying that code might be susceptible to malicious header injection, such as CRLF. However, it also says that "Many of today's modern application servers will prevent the injection of malicious characters into HTTP headers. For example, recent versions of Apache Tomcat will throw an IllegalArgumentException if you attempt to set a header with prohibited characters. If your application server prevents setting headers with new line characters, then your application is not vulnerable to HTTP Response Splitting." Does tomcat prevent the injection of malicious characters into HTTP headers? We are currently using Apache Tomcat/7.0.53.<http://7.0.53.> Thanks! -- Sent from neither my iPhone nor my iPad.