Which is the best way to mask / hide tomcat version from error pages?

浪尽此生 提交于 2021-02-17 19:19:06

问题


Could somebody please let me know which of the following two approaches is recommended and why :

  • Make the necessary changes to ServerInfo.properties

  • Define "error-page" in web.xml


回答1:


The answers are a bit outdated, so: If you're using a tomcat 6 or newer (I've tested on tomcat 7) you can use the ErrorReportValve to achieve the same in a way that is much easier to configure and maintain. Just add the following lines to the Host section of your server.xml (where you should already have the AccessLogValve:

<Valve className="org.apache.catalina.valves.ErrorReportValve"
    showReport="false" 
    showServerInfo="false"/>    

In this way you are hiding the server info and (because of the optional showReport=false) also the stack traces.

You can read more about this in the Security How To and in the documentation of the Error Report Valve.




回答2:


I'd make the changes to ServerInfo.properties regardless - there may be other places to get the ServerInfo.properties version information than only error pages. (Maybe someone leaves up the default home page, samples, etc. and these may have it.)

Define error pages in your web app if you want - a quicker option may be to globally change your default error pages by specifying it in CATALINA_HOME/conf/web.xml - this will use your new specified error pages by default even if a developer forgets to specify error pages for their app.




回答3:


Changing ServerInfo.properties is the most secure. If you for example have deployed a webapp on http://example.com/contextname, one could still get a 404 by http://example.com/blah or so. One could also get it programmatically by using a robot to Send a request with an unsupported method (which returns 503 error page).

That said, I honestly don't see any valid reasons to hide Tomcat version from it. This information actually adds no value for "normal users". It also doesn't stop any hacker from trying everything to get it down or exploit security holes (if there were any...). They don't worry about whether the version is displayed or not. For the "normal users" I would still use a custom error page which is a bit more integrated in the style of the webapp in question so that it is less "scary" and thus improves user experience.



来源:https://stackoverflow.com/questions/2266475/which-is-the-best-way-to-mask-hide-tomcat-version-from-error-pages

标签
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!