On 09/06/2020 07:19, Amit Pande wrote: > (My apologies if this has been discussed already.) > > Slow HTTP headers vulnerability was reported by scanner tool, on Tomcat > 8.5.54. > > There might be not any perfect solution to address this issue, but wanted to > understand some of the best practices to mitigate this vulnerability.
Use the Servlet Async and non-blocking I/O API to read the POST. That way no (well very few) server resources are used unless there is data to be read. If you wish you can add checks to your code for abuse (e.g. check upload speed) and drop potentially abusive connections. If you want a purely Tomcat configuration based approach then reducing timeouts is about all you can do. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
