https://bz.apache.org/bugzilla/show_bug.cgi?id=58750
Bug ID: 58750 Summary: Provide way to disable Server header completely Product: Tomcat 8 Version: 8.0.30 Hardware: PC OS: Mac OS X 10.1 Status: NEW Severity: normal Priority: P2 Component: Catalina Assignee: dev@tomcat.apache.org Reporter: rwi...@gmail.com Tomcat currently allows overriding the Server attribute, but does not allow removing the Server header completely. It would be valuable from a security perspective to be able to remove the header completely. One might argue this provides little value (it is security through obscurity). In my opinion there is a big difference on relying on obscurity and preventing information leakage. If your security depends on obscurity (i.e. that is the only security measure you take), then I think we can agree this is bad. Most agree that security is best in depth. To me this means preventing information leakage (removing the header) does provide value. Users could set the Tomcat header to something non nonsensical, but this gives information away too. Most servers provide a way to disable the header completely, so this reveals that the user is likely using an application server that does not support it. References: https://www.owasp.org/index.php/Information_Leakage http://www.acunetix.com/blog/articles/configure-web-server-disclose-identity/ https://github.com/spring-projects/spring-boot/issues/4730 (see comments) -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org