Reducing information disclosure in Tomcat error pages

Question

By default, Tomcat\'s error pages disclose both the existence of Tomcat and the exact version of the container that\'s handling the requests. This is nice for development, but

Answer 1

The simplest and most comprehensive way to do this is using the ErrorReportValve - just add the following lines to the Host section of your server.xml (where you should already have the AccessLogValve:

In this way you are hiding the server info and (because of the optional showReport=false) also the stack traces.

You can read more about this in the Security How To and in the documentation of the Error Report Valve.