Setting org.apache.catalina.connector.RECYCLE_FACADES system property to true will cause a new facade object to be created for each request. This reduces the chances of a bug in an application exposing data from one request to another.
The org.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH and org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH system properties allow non-standard parsing of the request URI. Using these options when behind a reverse proxy may enable an attacker to bypass any security constraints enforced by the proxy.
The org.apache.catalina.connector.Response.ENFORCE_ENCODING_IN_GET_WRITER system property has security implications if disabled. Many user agents, in breach of RFC2616, try to guess the character encoding of text media types when the specification-mandated default of ISO-8859-1 should be used. Some browsers will interpret as UTF-7 a response containing characters that are safe for ISO-8859-1 but trigger an XSS vulnerability if interpreted as UTF-7.
