On 08/01/2019 23:30, Zamani, Karim wrote:
Hi,
Tomcat’s default error handler has showServerInfo set to true by default. This
is not a good security practice because it exposes Tomcat’s version (version
disclosure).
Is there a reason why this property is not set to false by default?
Yes.
If you are running an old version with a known vulnerability you are
vulnerable. The server is no less vulnerable if the version information
is not shown. Hiding the version number is mostly security by obscurity.
Having the version information available is useful when debugging.
Generally, it is the view of the Tomcat community that the benefits of
having the version information presented out-weigh the risks. Users that
take a different view can easily set showServerInfo to false.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
