Hi all, Security is becoming more and more important these days. We see many more attacks and we legitimely have to question ourselves regarding our defaults.
In essence, we rely on Tomcat which is our backbone and we have always treated its defaults as being reasonably good as stated in this page https://tomcat.apache.org/tomcat-9.0-doc/security-howto.html When going live a couple of changes should be made to avoid discarding information an hacker may use against us. xpoweredBy giving the exact version of Tomcat for instance The error valve attributes are set to false so it does not display Tomcat's version and does not discard exceptions. Should we somehow pre-configure TomEE to be a bit more secure? The downside is that in development, with Arquillian or TomEE Maven plugin we lose some useful information to debug and understand what's going on. What do you think? -- Jean-Louis Monteiro http://twitter.com/jlouismonteiro http://www.tomitribe.com