How to properly send an HTTP message to the client

Question

I\'m working on a RESTful web service in Java. I need a good way to send error messages to the client if something\'s wrong.

According to the Javadoc, HttpServlet

Answer 1

If you're using Tomcat, see the setting org.apache.coyote.USE_CUSTOM_STATUS_MSG_IN_HEADER:

http://tomcat.apache.org/tomcat-5.5-doc/config/systemprops.html

• If this is true custom HTTP status messages will be used within HTTP headers. Users must ensure that any such message is ISO-8859-1 encoded, particularly if user provided input is included in the message, to prevent a possible XSS vulnerability. If not specified the default value of false will be used.

See this page for some detail on the original vulnerability:

http://www.securityfocus.com/archive/1/archive/1/495021/100/0/threaded