remove server header tomcat

L

5

19

I am able to rename the value of org.apache.coyote.http11.Http11Protocol.SERVER to anything else, so the HTTP-Response-Header contains something like:

Server:Apache

instead of the default

Server:Apache-Coyote/1.1

Using a empty value for org.apache.coyote.http11.Http11Protocol.SERVER does not remove the Server-Header.

How can I remove the Server-Header from my responses?

Littlest answered 19/6, 2012 at 13:54 Comment(1)

Note that the 1.1 in this response header refers to the HTTP version and not the version number of the server-side component. Otherwise, it would say Apache Tomcat 3.x-or-later. – Epigeous 28/3, 2022 at 16:14

E

7

Short answer - you can't remove the header, but you should modify it (see other answers).

The server header is defined in the RFC and it is mandatory. (not defined as optional in the spec)

Taken from http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.38

14.38 Server
The Server response-header field contains information about the software used by the origin server to handle the request.
The field can contain multiple product tokens (section 3.8) and comments identifying the server and any significant subproducts. The product tokens are listed in order of their significance for identifying the application.

If the response is being forwarded through a proxy, the proxy application MUST NOT modify the Server response-header. Instead, it SHOULD include a Via field (as described in section 14.45).
  Note: Revealing the specific software version of the server might
  allow the server machine to become more vulnerable to attacks
  against software that is known to contain security holes. Server
  implementors are encouraged to make this field a configurable
  option.

Entertainer answered 23/3, 2013 at 16:8 Comment(3)

Modifying or removing the server header (as well as others like X-Powered-By) is important for security. By providing outside users with information about you underlying technology infrastructure, you're essentially telling potential attackers which exploits they should taking advantage of. Unlike some other contains, tomcat does not let you remove the header, but you can modify it to be anything you want. <Connector port="8080" server="Anything"/> within server.xml. See also: Tomcat docs – Biliary 20/11, 2015 at 12:9

The server header is defined in the RFC and it is mandatory is false. If it doesn't say is mandatory, then it doesn't. – Behavior 24/1, 2021 at 6:17

@MartinCassidy Is it (important for security)? Advertising that your server supports HTTP/1.1 is literally right in the protocol at the start of the response line. This particular "security" issue is due to a profound misunderstanding of what is being communicated in the response header. – Epigeous 28/3, 2022 at 16:16

V

10

You can modify your tomcat server.xml and add a "server" option and set it to whatever you want. The server option should be set for any http or ssl connectors that you have running. For example, below is a sample HTTP Connector configuration from an example server.xml file

<Connector port="8080" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="8443" enableLookups="false" xpoweredby="false" server="Web"/>

Vaal answered 11/12, 2015 at 13:58 Comment(1)

Actually the B should be uppercase xpoweredBy="false", tomcat version 8.5.72 – Organogenesis 23/2, 2022 at 10:54

E

7

Short answer - you can't remove the header, but you should modify it (see other answers).

The server header is defined in the RFC and it is mandatory. (not defined as optional in the spec)

Taken from http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.38

14.38 Server
The Server response-header field contains information about the software used by the origin server to handle the request.
The field can contain multiple product tokens (section 3.8) and comments identifying the server and any significant subproducts. The product tokens are listed in order of their significance for identifying the application.

If the response is being forwarded through a proxy, the proxy application MUST NOT modify the Server response-header. Instead, it SHOULD include a Via field (as described in section 14.45).
  Note: Revealing the specific software version of the server might
  allow the server machine to become more vulnerable to attacks
  against software that is known to contain security holes. Server
  implementors are encouraged to make this field a configurable
  option.

Entertainer answered 23/3, 2013 at 16:8 Comment(3)

Modifying or removing the server header (as well as others like X-Powered-By) is important for security. By providing outside users with information about you underlying technology infrastructure, you're essentially telling potential attackers which exploits they should taking advantage of. Unlike some other contains, tomcat does not let you remove the header, but you can modify it to be anything you want. <Connector port="8080" server="Anything"/> within server.xml. See also: Tomcat docs – Biliary 20/11, 2015 at 12:9

The server header is defined in the RFC and it is mandatory is false. If it doesn't say is mandatory, then it doesn't. – Behavior 24/1, 2021 at 6:17

@MartinCassidy Is it (important for security)? Advertising that your server supports HTTP/1.1 is literally right in the protocol at the start of the response line. This particular "security" issue is due to a profound misunderstanding of what is being communicated in the response header. – Epigeous 28/3, 2022 at 16:16

M

5

It should be possible since Tomcat 5.5. Check out this discussion: https://mail-archives.apache.org/mod_mbox/tomcat-users/200508.mbox/%[email protected]%3E and this link: https://tomcat.apache.org/tomcat-4.1-doc/config/coyote.html

Accordingly the following should set the server header to TEST. Empty should make it empty.

<Connector className="org.apache.coyote.tomcat4.CoyoteConnector" port="8180" inProcessors="5" maxProcessors="75" enableLookups="true" acceptCount="10" debug="0" connectionTimeout="20000" useURIValidationHack="false" server="TEST"/>

Setting the Server header to Apache should security-wise be good enough in most cases. Just from that it won't be possible to infer which OS nor which exact version with which modules and the versions of the modules running.

Mantinea answered 30/7, 2014 at 9:24 Comment(3)

I don't see how the link you provided helps removing the server header – Entertainer 3/8, 2014 at 9:4

-1 This doesn't answer the question. The OP already knows how to change the Server header; what they want to know is whether it's possible to remove it. – Dissert 30/7, 2015 at 15:16

You can set the value to empty string also (server=""). However it doesn't work for static files (css, images...), in that case, you have to use at least one space (server=" "), otherwise default text (Apache-Coyote/1.1) is put there instead. It's true that it doesn't remove the header completely, the header is still there, but with empty value. – Lezley 3/10, 2015 at 23:13

D

1

if you are using embedded tomcat then you can try below code.

import org.apache.catalina.startup.Tomcat;

final Tomcat server = new Tomcat();
server.getConnector().setXpoweredBy(false);
server.getConnector().setAttribute("server", "");

Diplomacy answered 23/4, 2019 at 6:53 Comment(0)

U

0

For Web application. Set Server header from the code. It worked for me in Java Spring boot project.

response.setHeader("Server", "none");

Try adding from code if it is deployed in tomcat.

Upstretched answered 21/5, 2021 at 8:36 Comment(0)

Recommended topics

Hot tags