https://bz.apache.org/bugzilla/show_bug.cgi?id=63852
--- Comment #8 from Mark Thomas <ma...@apache.org> --- (In reply to Ralf Hauser from comment #5) > showServerInfo=false > achieves a similar goal, but why not be consistent with the "server" > attribute of server.xml ? There are some subtle differences. The server header, if set, gets sent on every response. It isn't many bytes but neither does it add much value. The consensus opinion is currently to disable by default (but not for security reasons although disabled by default does make some security folks happy). The server info in the error report valve only gets sent when there is an unhandled error. In that scenario it is more likely to be useful (it might help track down an existing bug report for the issue). The consensus opinion is, therefore, to default to enabled. Some security folks don't like this so there is the option to disable it. Keep in mind that Tomcat is used in a wide range of scenarios from local development to large scale production deployments. There is no one configuration that fits all use cases so we try and provide one that is a good starting point for more uses that users can then tweak as required. What there might be a case for is if "server" is explicitly set on the Connector then use the same value in the ErrorReportValve although I'm not sure the added code/complexity is worth the benefit. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
