Child pages
  • Load Balancer/Web Server
Skip to end of metadata
Go to start of metadata
  • Ensure that nobody can access /dyn/admin from the public internet.
  • Ensure that production SSL certificates have been installed, have the proper domain, and haven't expired
  • Ensure that redirects are put in place to direct users from the old site to the new site. For instance, say the old site had a context path of /oldsite and the new site has a context path of /newsite. Users going to /oldsite or any page under /oldsite should not be given a 404
  • Ensure that favicon.ico is in place
  • Check that service/auxiliary instances (GSS/PES/SLM, etc) are not receiving any user sessions
  • Verify that requests to http(s)://host get redirected to http(s)://host/contextpath (if there is one)
  • Ensure that gzip compression is used for HTML/CSS/JavaScript
  • Verify that robots.txt is in place
  • Verify that directory listing is turned off
  • Ensure that sitemap.xml is in place
  • Ensure that the Expires header is set properly for all static media. The second request of a session should result in all static media being pulled from the user's browser cache. The browser shouldn't have to check with the web server to get an HTTP 304
  • Ensure that Keep-Alives are properly set for each application. See
  • Consider adding the "X-Content-Type-Options: nosniff" HTTP header. See Make sure that JkLogLevel is set to "error" in the mod-jk.conf (or in httpd.conf, if mod_jk is set in the httpd.conf)
  • Consider setting the "HttpOnly" attribute when placing cookies. Doing so effectively stops XSS attacks because the cookie cannot be retrieved over JavaScript. See product documentation
  • Consider blocking HTTP requests to embedded JSP fragments, such as header.jsp and footer.jsp. Customers should only be able to access container JSPs, such as index.jsp or registration.jsp
  • If you have redirects in place to your mobile site for mobile users, preserve the entire link upon redirect. For example, a search engine will index You may have for mobile users. If a user on a mobile device clicks on a link to, redirect the user to as opposed to Losing links is common and frustrating to mobile users
  • For Apache Web Server, make sure to use the Worker MPM. By default, Apache is configured to use the Prefork MPM, which is less efficient with application servers. Oracle HTTP Server has the Worker MPM configured as its default, Red Hat packages include MPM as well. To enable, simply uncomment the line in /etc/sysconfig/httpd
  • For Apache Web Server, configure the Worker MPM to use a single worker thread pool. Example: StartServers 1, ServerLimit 1, ThreadLimit 2048, MaxClients 2048, ThreadsPerChild 2048, MaxRequestsPerChild 0
  • If using Oracle Traffic Director, see this white paper: Tuning Oracle Traffic Director for Oracle Fusion Middleware and Business Applications within Exalogic (PDF)
  • No labels