I'm failing a PCI compliance scan because my Tomcat Version 7.0.20 server is revealing the path to the document web root in an "exception-message" header when a missing page is requested.
Does anyone know of way to get rid of this header from the response? Note: I'm running Railo 4.1.2 on top of Tomcat ... but I think this header is coming from Tomcat. $ curl -I http://mydomain.com/this-page-does-not-exist.html HTTP/1.1 404 Not Found Date: Fri, 10 Jan 2014 23:23:22 GMT Server: Apache-Coyote/1.1 exception-message: Page /this-page-does-not-exist.html [/var/www/html/this-page-does-not-exist.html] not found Content-Type: text/html;charset=UTF-8 Content-Length: 44 Set-Cookie: cfid=686ea13b-ef35-43c3-b6e4-08270bbb4718;Path=/;Expires=Sun, 10-Jan-2044 07:14:52 GMT;HTTPOnly Set-Cookie: cftoken=0;Path=/;Expires=Sun, 10-Jan-2044 07:14:52 GMT;HTTPOnly Connection: close