STIGhubSTIGhub
STIGsSearchCompareAbout

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • VPAT
  • DISA STIG Library
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Apache Tomcat Application Server 9 Security Technical Implementation Guide

V-222934

CAT II (Medium)

DefaultServlet must be set to readonly for PUT and DELETE.

Rule ID

SV-222934r1137578_rule

STIG

Apache Tomcat Application Server 9 Security Technical Implementation Guide

Version

V3R4

CCIs

CCI-000213

Discussion

The DefaultServlet is a servlet provided with Tomcat. It is called when no other suitable page can be displayed to the client. The DefaultServlet serves static resources as well as directory listings and is declared globally in $CATALINA_BASE/conf/web.xml. By default, Tomcat behaves as if the DefaultServlet is set to "true" (HTTP commands like PUT and DELETE are rejected). However, the readonly parameter is not in the web.xml file by default so to ensure proper configuration and system operation, the "readonly" parameter in web.xml must be created and set to "true". Creating the setting in web.xml provides assurances the system is operating as required. Changing the readonly parameter to false could allow clients to delete or modify static resources on the server and upload new resources.

Check Content

From the Tomcat server run the following command:

sudo cat $CATALINA_BASE/conf/web.xml |grep -i -A5 -B2 defaultservlet 

If the "readonly" param-value for the "DefaultServlet" servlet class = "false" or does not exist, this is a finding.

Fix Text

From the Tomcat server console as a privileged user:

Edit the $CATALINA_BASE/conf/web.xml file. 

If the "readonly" param-value does not exist, it must be created.

Ensure the "readonly" param-value for the "DefaultServlet" servlet class = "true".