Re: Tomcat vs simple hand rolled standalone server ..

[Mark Thomas <ma...@apache.org>]

On 05/01/2021 18:47, John Dale wrote:
> Greetings Everyone;
> 
> I'm writing for small devices with limited power.
> 
> Last year I wrote a simple web server to receive GET requests to do a
> handful of commands over the network that included some sound card
> interfacing among other things.
> 
> It got me thinking about Tomcat in terms of flood/overflow/security
> protections.  What is tomcat 9x doing if anything for this?  Are
> buffer overflow protections something provided by the JVM/FW/OS alone?
>  What other information does tomcat have beyond declarative security
> in web archive metadata?

Off the top of my head:
a) Very strict protocol checking
b) Limits on header sizes
c) Limits on header counts
d) Limits on parameter counts
e) Comprehensive protocol support covering all the edge cases (it would
   be treated as a bug if we missed one)
f) Lots of real-world use to give confidence in a) and e)
g) Limits on cookie counts
h) Configurable thread pool and back-log
i) HTTP/2 has a bunch of additional checks including coverage of the
   sort of abusive client behaviour that triggered DoS in a number of
   HTTP/2 servers a year or two ago
j) CORSFilter

Just about all of the above is configurable.

And probably a bunch of stuff I've forgotten about.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org