https://bz.apache.org/bugzilla/show_bug.cgi?id=63851
Bug ID: 63851 Summary: Response's "Location" header must not disclose internal IPs Product: Tomcat 8 Version: 8.5.14 Hardware: PC OS: Linux Status: NEW Severity: normal Priority: P2 Component: Connectors Assignee: dev@tomcat.apache.org Reporter: hau...@acm.org Target Milestone: ---- if you have an internal network and in server.xml <Connector port ... address="173.24.10.222" when you send a redirect with a relative URL such as response.sendRedirect("/index.jsp"); the "https://173.24.10.222:6443/index.jsp" is given back in the Location header which is considered useful "discovery" for unfriendly counterparts... ==> for these cases, maybe in https://tomcat.apache.org/tomcat-8.5-doc/config/http.html#Standard_Implementation it should be possible to add a "addressExternal" value ? see also: bug 54367 -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org