Nuxeo Server

Security Recommendations

Updated: March 18, 2024

This page presents some security recommendations, applicable through configuration files.

Tomcat Web Server

The Tomcat server included in the Nuxeo distribution is already configured following the main security recommendations.

Additionally, you can consider removing or restricting the access to the default Tomcat tools (admin and manager webapps).

Avoid Sending the Tomcat Version



Apache Web Server

When using Apache HTTP Server as a proxy in front of your Nuxeo instance, you shall harden it following those rules.

Clean the Server Header


# ServerTokens
# This directive configures what you return as the Server HTTP response
# Header. The default is 'Full' which sends information about the OS-Type
# and compiled in modules.
# Set to one of:  Full | OS | Minimal | Minor | Major | Prod
# where Full conveys the most information, and Prod the least.
ServerTokens Prod

# Optionally add a line containing the server version and virtual host
# name to server-generated pages (internal error documents, FTP directory
# listings, mod_status and mod_info output etc., but not CGI generated
# documents or custom error documents).
# Set to "EMail" to also include a mailto: link to the ServerAdmin.
# Set to one of:  On | Off | EMail
ServerSignature Off

Disallow TRACE Requests


# Allow TRACE method
# Set to "extended" to also reflect the request body (only for testing and
# diagnostic purposes).
# Set to one of:  On | Off | extended
TraceEnable Off 

ETag Headers Generation

Do not use filesystem sensitive information to generate the ETag headers.


FileETag None

Prevent "Clickjacking"


Header always append X-Frame-Options SAMEORIGIN

Prevent Cross Site Scripting - XSS


Header set X-XSS-Protection "1; mode=block"

HTTP Protocol Version

Allow HTTP Protocol version 1.1 only.


RewriteEngine On
RewriteCond %{THE_REQUEST} !HTTP/1.1$
RewriteRule .* - [F]

Prevent "Slowloris" Attacks


Timeout 60

SSL Ciphers

Accept SSL high quality ciphers only.



SSL Protocols

Accept strong SSL protocols only.


SSLProtocol -all +TLSv1.2


Secure the cookies (when using SSL).


Header edit Set-Cookie ^(.*)$ $1;Secure

Use mod_security