> From: August Kleimo [mailto:aug...@kleimo.com] > Subject: "exception-message" header reveals path to document root in 404 > response.
> I'm failing a PCI compliance scan because my Tomcat Version 7.0.20 server > is revealing the path to the document web root in an "exception-message" > header when a missing page is requested. If you were really worried about security, you wouldn't be running a version of Tomcat that's 2.5 years old. Seriously, upgrade. > Does anyone know of way to get rid of this header from the response? Use your own custom error page. > Note: I'm running Railo 4.1.2 on top of Tomcat ... but I think this header > is coming from Tomcat. Nope. Here's Tomcat's standard 404 response: HTTP/1.1 404 Not Found Server: Apache-Coyote/1.1 Content-Type: text/html;charset=utf-8 Content-Length: 1027 Date: Fri, 10 Jan 2014 23:59:34 GMT Most likely Railo is using a "friendly" error page. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org