https://bz.apache.org/bugzilla/show_bug.cgi?id=58750
Bug ID: 58750
Summary: Provide way to disable Server header completely
Product: Tomcat 8
Version: 8.0.30
Hardware: PC
OS: Mac OS X 10.1
Status: NEW
Severity: normal
Priority: P2
Component: Catalina
Assignee: dev@tomcat.apache.org
Reporter: rwi...@gmail.com
Tomcat currently allows overriding the Server attribute, but does not allow
removing the Server header completely. It would be valuable from a security
perspective to be able to remove the header completely.
One might argue this provides little value (it is security through obscurity).
In my opinion there is a big difference on relying on obscurity and preventing
information leakage. If your security depends on obscurity (i.e. that is the
only security measure you take), then I think we can agree this is bad.
Most agree that security is best in depth. To me this means preventing
information leakage (removing the header) does provide value.
Users could set the Tomcat header to something non nonsensical, but this gives
information away too. Most servers provide a way to disable the header
completely, so this reveals that the user is likely using an application server
that does not support it.
References:
https://www.owasp.org/index.php/Information_Leakage
http://www.acunetix.com/blog/articles/configure-web-server-disclose-identity/
https://github.com/spring-projects/spring-boot/issues/4730 (see comments)
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
