I propose to limit access to Examples and Documentation that are bundled with Tomcat, so that they are accessible only from the loopback ip address. I mean, to configure an RemoteAddrValve, in the same way as has already been done for the Manager and Host-Manager web applications. <Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" /> Justification: 1. According to the Apache Tomcat security considerations [1], it is recommended to remove these web applications, so that they are not exposed to the public. 2. Duplicate copies of documentation are indexed by search engines. Alternatively, this could be fought either with "<link rel="canonical">" [2], or by blocking indexing either with a robots.txt file (but ROOT is a separate web application, which makes such solution fragile), or with "<meta name="robots" content="noindex, nofollow">" (but the same HTML pages are published to tomcat.apache.org). [1] https://tomcat.apache.org/tomcat-9.0-doc/security-howto.html#Default_web_applications [2] https://developer.mozilla.org/en-US/docs/Web/HTML/Attributes/rel#attr-canonical
Great idea. Implemented along with a custom 403 error page explaining how to enable access if required. Fixed in: - 11.0.x for 11.0.0-M3 onwards - 10.1.x for 10.1.6 onwards - 9.0.x for 9.0.72 onwards - 8.5.x for 8.5.86 onwards