Securing the Tomcat Layer

OpenMRS's underlying tomcat layer provides several configurable options to enhance security.

Run Tomcat In a Low-Privileged Context

Running tomcat as a low-privileged process (i.e. not with "root" or "administrator" permissions) is the easiest and most important step in securing the underlying tomcat server. This step prevents attackers who are able to compromise tomcat from being able to take over the entire system. This may protect the system from falling victim to ransomware attacks, which often require full administrative permissions on the operating system.

Disabling Default Tomcat Pages

Most OpenMRS implementations have no use for the default tomcat documentation, examples, and management apps that come bundled with the tomcat server. If they aren't serving a purpose, they are unnecessarily increasing the implementation's attack surface. To remove them, find the tomcat directory, and under tomcat-dir/webapps/, delete the following folders:


Protect Cookies with "Secure" and "HTTP-Only" Flags

Tomcat can be configured to better guard cookies, which contain sensitive authentication information. The "Secure" flag configures tomcat to only send cookies over encrypted channels (like a TLS connection). The "HTTP-Only" flag prevents client-side scripts from accessing cookies (e.g. through XSS).

To enable these features, ensure that the following config is present in tomcat's web.xml: