Hi Mark,
Agree that hiding the version is not the way to deal with vulnerabilities.
Having said that, revealing information about the stack or its version in the
error handler to the world can still be a security issue.
What kind of debugging are we expecting when the server type and version are
exposed in a 500 response for example?
IMHO, Tomcat's default settings should be more "restrictive" unless it causes
problems.
Karim
On 1/8/19, 7:09 PM, "Mark Thomas" <ma...@apache.org> wrote:
On 08/01/2019 23:30, Zamani, Karim wrote:
> Hi,
>
> Tomcat’s default error handler has showServerInfo set to true by default.
This is not a good security practice because it exposes Tomcat’s version
(version disclosure).
>
> Is there a reason why this property is not set to false by default?
Yes.
If you are running an old version with a known vulnerability you are
vulnerable. The server is no less vulnerable if the version information
is not shown. Hiding the version number is mostly security by obscurity.
Having the version information available is useful when debugging.
Generally, it is the view of the Tomcat community that the benefits of
having the version information presented out-weigh the risks. Users that
take a different view can easily set showServerInfo to false.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
