Hi Mark, Agree that hiding the version is not the way to deal with vulnerabilities. Having said that, revealing information about the stack or its version in the error handler to the world can still be a security issue.
What kind of debugging are we expecting when the server type and version are exposed in a 500 response for example? IMHO, Tomcat's default settings should be more "restrictive" unless it causes problems. Karim On 1/8/19, 7:09 PM, "Mark Thomas" <ma...@apache.org> wrote: On 08/01/2019 23:30, Zamani, Karim wrote: > Hi, > > Tomcat’s default error handler has showServerInfo set to true by default. This is not a good security practice because it exposes Tomcat’s version (version disclosure). > > Is there a reason why this property is not set to false by default? Yes. If you are running an old version with a known vulnerability you are vulnerable. The server is no less vulnerable if the version information is not shown. Hiding the version number is mostly security by obscurity. Having the version information available is useful when debugging. Generally, it is the view of the Tomcat community that the benefits of having the version information presented out-weigh the risks. Users that take a different view can easily set showServerInfo to false. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org