[jboss-jira] [JBoss JIRA] (AS7-5028) ability to removethe response-header Server:Apache-Coyote/1.1

[nimo stephan (JIRA)]

nimo stephan created AS7-5028:
---------------------------------

             Summary: ability to removethe response-header Server:Apache-Coyote/1.1
                 Key: AS7-5028
                 URL: https://issues.jboss.org/browse/AS7-5028
             Project: Application Server 7
          Issue Type: Feature Request
    Affects Versions: 7.1.1.Final
            Reporter: nimo stephan


Jboss AS 7 includes the following HTTP-Header for every response:

Server:Apache-Coyote/1.1

For security issues, it is good to hide this header so attackers cannot easily derivate its underlying technology (which, in this case, indicates that Java-Technology/Tomcat is used).

Possible solutions is:

Invent a new system-property "org.jboss.as.sendServerHeader" which can be set, for example, in standalone.xml:

<system-properties>
<property name="org.apache.coyote.http11.Http11Protocol.SERVER" value=""/>
<property name="org.jboss.as.sendServerHeader" value="false"/>
</system-properties>

Note: 
- leaving the value of "org.apache.coyote.http11.Http11Protocol.SERVER" results in printing the Server-Header also, instead of to go away. However, with that value I can rename the Server-Header, but not deleting it.
- At first, I have thought this is a JSF-Rendering-Issue, so I created that issue here http://java.net/jira/browse/JAVASERVERFACES-2445, but it stated out that printing the Server-Header is a "application server level concern".

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira