By default, an HTTP and an AJP connector are configured. Connectors
      that will not be used should be removed from server.xml.
      
      The address attribute may be used to control which IP
      address the connector listens on for connections. By default, the
      connector listens on all configured IP addresses.
      
      The allowTrace attribute may be used to enable TRACE
      requests which can be useful for debugging. Due to the way some browsers
      handle the response from a TRACE request (which exposes the browser to an
      XSS attack), support for TRACE requests is disabled by default.
      
      The maxPostSize attribute controls the maximum size
      of a POST request that will be parsed for parameters. The parameters are
      cached for the duration of the request so this is limited to 2MB by
      default to reduce exposure to a DOS attack.
      
      The maxSavePostSize attribute controls the saving of
      POST requests during FORM and CLIENT-CERT authentication. The parameters
      are cached for the duration of the authentication (which may be many
      minutes) so this is limited to 4KB by default to reduce exposure to a DOS
      attack.
      
      The xpoweredBy attribute controls whether or not the
      X-Powered-By HTTP header is sent with each request. If sent, the value of
      the header contains the Servlet and JSP specification versions, the full
      Tomcat version (e.g. Apache Tomcat/7.0.0), the name of the JVM vendor and
      the version of the JVM. This header is disabled by default. This header
      can provide useful information to both legitimate clients and attackers.
      
      
      The server attribute controls the value of the Server
      HTTP header. The default value of this header for Tomcat 4.1.x, 5.0.x,
      5.5.x, 6.0.x and 7.0.x is Apache-Coyote/1.1. This header can provide
      limited information to both legitimate clients and attackers.
      The SSLEnabled, scheme and
      secure attributes may all be independently set. These are
      normally used when Tomcat is located behind a reverse proxy and the proxy
      is connecting to Tomcat via HTTP or HTTPS. They allow Tomcat to see the
      SSL attributes of the connections between the client and the proxy rather
      than the proxy and Tomcat. For example, the client may connect to the
      proxy over HTTPS but the proxy connects to Tomcat using HTTP. If it is
      necessary for Tomcat to be able to distinguish between secure and
      non-secure connections received by a proxy, the proxy must use separate
      connectors to pass secure and non-secure requests to Tomcat. If the
      proxy uses AJP then the SSL attributes of the client connection are
      passed via the AJP protocol and separate connectors are not needed.
      
      The ciphers attribute controls the ciphers used for
      SSL connections. By default, the default ciphers for the JVM will be used.
      This usually means that the weak export grade ciphers will be included in
      the list of available ciphers. Secure environments will normally want to
      configure a more limited set of ciphers.
      
      The tomcatAuthentication attribute is used with the
      AJP connectors to determine if Tomcat should authenticate the user or if
      authentication can be delegated to the reverse proxy that will then pass
      the authenticated username to Tomcat as part of the AJP protocol.
      
      The allowUnsafeLegacyRenegotiation attribute provides
      a workaround for
      
      CVE-2009-3555, a TLS man in the middle attack. This workaround applies
      to the BIO connector. It is only necessary if the underlying SSL
      implementation is vulnerable to CVE-2009-3555. For more information on the
      current state of this vulnerability and the work-arounds available see the
      Tomcat 7 security
      page.