[jboss-jira] [JBoss JIRA] (WFLY-1091) ability to remove the response-header Server:Apache-Coyote/1.1

Todd Trimmer (JIRA) jira-events at lists.jboss.org
Mon May 6 15:14:53 EDT 2013 

    [ https://issues.jboss.org/browse/WFLY-1091?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12772443#comment-12772443 ] 

Todd Trimmer commented on WFLY-1091:
------------------------------------

I think this should work similar to how the X-Powered-By request header can be disabled.

We already have: 
/subsystem=web/configuration=jsp-configuration:write-attribute(name=x-powered-by, value=false)

So, too, we should have:
/subsystem=web:write-attribute(name=send-server-header, value=false)

Alternatively, we can have the attribute at the virtual-server level if we want finer granularity.
                
> ability to remove the response-header Server:Apache-Coyote/1.1
> --------------------------------------------------------------
>
>                 Key: WFLY-1091
>                 URL: https://issues.jboss.org/browse/WFLY-1091
>             Project: WildFly
>          Issue Type: Feature Request
>            Reporter: nimo stephan
>
> Jboss AS 7 includes the following HTTP-Header for every response:
> Server:Apache-Coyote/1.1
> For security issues, it is good to hide this header so attackers cannot easily derivate its underlying technology (which, in this case, indicates that Java-Technology/Tomcat is used).
> Possible solutions is:
> Invent a new system-property "org.jboss.as.sendServerHeader" which can be set, for example, in standalone.xml:
> <system-properties>
> <property name="org.apache.coyote.http11.Http11Protocol.SERVER" value=""/>
> <property name="org.jboss.as.sendServerHeader" value="false"/>
> </system-properties>
> Note: 
> - leaving the value of "org.apache.coyote.http11.Http11Protocol.SERVER" results in printing the Server-Header also, instead of to go away. However, with that value I can rename the Server-Header, but not deleting it.
> - At first, I have thought this is a JSF-Rendering-Issue, so I created that issue here http://java.net/jira/browse/JAVASERVERFACES-2445, but it stated out that printing the Server-Header is a "application server level concern".

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list