Hi Mark,
Agree that hiding the version is not the way to deal with vulnerabilities.
Having said that, revealing information about the stack or its version in the
error handler to the world can still be a security issue.
What kind of debugging are we expecting when the server type and version
On 08/01/2019 23:30, Zamani, Karim wrote:
Hi,
Tomcat’s default error handler has showServerInfo set to true by default. This
is not a good security practice because it exposes Tomcat’s version (version
disclosure).
Is there a reason why this property is not set to false by default?
Yes.
Hi,
Tomcat’s default error handler has showServerInfo set to true by default. This
is not a good security practice because it exposes Tomcat’s version (version
disclosure).
Is there a reason why this property is not set to false by default?
Thanks,
Karim
