Jetty security depends on enabled modules and handler chain design. Harden startup modules, TLS settings, and deployment boundaries.
- Enable only required modules in
start.d.
- Remove demo/test modules from production.
- Disable HTTP if HTTPS-only is possible.
- Use strict request/header limits.
¶ 2) Harden TLS and connector config
- Use
ssl and https modules with modern cipher/protocol policy.
- Set secure defaults for
SecureRequestCustomizer and HSTS.
- Protect keystore files and rotate certificates.
- Restrict admin endpoints and JMX exposure.
- Deploy apps as non-root user with read-only runtime where possible.
- Separate
JETTY_HOME and JETTY_BASE ownership correctly.
- Disable hot deploy in high-trust environments.
- Keep Jetty and JDK current with security updates.
¶ Verification commands
ls /opt/jetty-base/start.d
grep -R "ssl\|https\|httpConfig\|requestHeaderSize" /opt/jetty-base/start.d /opt/jetty-base/etc
sudo ss -tulpn | grep -E ':8080|:8443|:443'
- Jetty Operations Guide (Security): https://jetty.org/docs/jetty/12/operations-guide/security/index.html
- Jetty security reports: https://jetty.org/security-report.html
- Jetty project: https://github.com/eclipse/jetty.project