On Tue, Jun 9, 2026 at 11:16 AM Mark Thomas <[email protected]> wrote:
> Hi all, > > It was pointed out to me at $dayjob that the JsonErrorReportValve > doesn't support the showReport attribute. What do folks think about > adding it. Worth doing or not? > > Mark > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > > Hi Mark, Since it's defined as a security hardening technique, citing security-howto.xml "configure an ErrorReportValve and set its showReport attribute to false.", I think it should be added. I have created the following PR addressing this: https://github.com/apache/tomcat/pull/1020 I have also included the attribute to ProxyErrorReportValve which it was missing from too. Kind regards, Dimitris
