Hi All, Thanks for all your replies. Turns out it was in fact Railo. I searched the Railo repo on GitHub and found a reference to that header. I was able to overwrite it with a blank string using this line of code.
<cfset getPageContext().getResponse().setHeader("exception-message","")> On Fri, Jan 10, 2014 at 4:36 PM, Jordan Michaels <jor...@viviotech.net>wrote: > It may also be useful to know if you get this same "exception-message" > header when you get a 404 from the Railo servlet (from a request for a .cfm > file). > > It may help determine if Railo is involved or not. > > > Warm Regards, > Jordan Michaels > > On 01/10/2014 04:02 PM, Caldarale, Charles R wrote: > >> From: August Kleimo [mailto:aug...@kleimo.com] >>> Subject: "exception-message" header reveals path to document root in 404 >>> response. >>> >> >> I'm failing a PCI compliance scan because my Tomcat Version 7.0.20 server >>> is revealing the path to the document web root in an "exception-message" >>> header when a missing page is requested. >>> >> >> If you were really worried about security, you wouldn't be running a >> version of Tomcat that's 2.5 years old. Seriously, upgrade. >> >> Does anyone know of way to get rid of this header from the response? >>> >> >> Use your own custom error page. >> >> Note: I'm running Railo 4.1.2 on top of Tomcat ... but I think this >>> header >>> is coming from Tomcat. >>> >> >> Nope. Here's Tomcat's standard 404 response: >> >> HTTP/1.1 404 Not Found >> Server: Apache-Coyote/1.1 >> Content-Type: text/html;charset=utf-8 >> Content-Length: 1027 >> Date: Fri, 10 Jan 2014 23:59:34 GMT >> >> Most likely Railo is using a "friendly" error page. >> >> - Chuck >> >> >> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY >> MATERIAL and is thus for use only by the intended recipient. If you >> received this in error, please contact the sender and delete the e-mail and >> its attachments from all computers. >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >