]
Brian Stansberry updated WFLY-1091:
-----------------------------------
Assignee: Stuart Douglas
Component/s: Web (Undertow)
Although this was filed when JBoss Web was integrated, I'll setting the component on
this to Undertow in case it's not already configurable there.
ability to remove the response-header Server:Apache-Coyote/1.1
--------------------------------------------------------------
Key: WFLY-1091
URL:
https://issues.jboss.org/browse/WFLY-1091
Project: WildFly
Issue Type: Feature Request
Security Level: Public(Everyone can see)
Components: Web (Undertow)
Reporter: nimo stephan
Assignee: Stuart Douglas
Jboss AS 7 includes the following HTTP-Header for every response:
Server:Apache-Coyote/1.1
For security issues, it is good to hide this header so attackers cannot easily derivate
its underlying technology (which, in this case, indicates that Java-Technology/Tomcat is
used).
Possible solutions is:
Invent a new system-property "org.jboss.as.sendServerHeader" which can be set,
for example, in standalone.xml:
<system-properties>
<property name="org.apache.coyote.http11.Http11Protocol.SERVER"
value=""/>
<property name="org.jboss.as.sendServerHeader" value="false"/>
</system-properties>
Note:
- leaving the value of "org.apache.coyote.http11.Http11Protocol.SERVER" results
in printing the Server-Header also, instead of to go away. However, with that value I can
rename the Server-Header, but not deleting it.
- At first, I have thought this is a JSF-Rendering-Issue, so I created that issue here
http://java.net/jira/browse/JAVASERVERFACES-2445, but it stated out that printing the
Server-Header is a "application server level concern".
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: