Oliver, On Mon, 16 Dec 2019 at 11:09, Olivier Jaquemet <olivier.jaque...@jalios.com> wrote:
> Hello all, > > I would like to systematically hide a request header to web applications > hosted by Tomcat. > > "Blanking" or "Unsetting" a header is not the same as "Hiding". By hiding, you are essentially asking for the Header to be available under certain elevated privilege or conditions. Unless, you meant Unsetting the value or removing the header (not "Hiding")? > - If Apache HTTPD is used in front of Tomcat, you can use the > RequestHeader directive [0]: > RequestHeader unset Some-Header-Name > > - If NGINX is used in front of Tomcat, you can use the proxy_set_header > directive [1]: > proxy_set_header Some-Header-Name ""; > > - Is there any way to apply a similar configuration (no development [2]) > to Apache Tomcat when there is no front server ? > I could not find any built-in valve/filter that would allow such > filtering. I don't think there is any, but I wanted to make sure I had > not missed something. > > Not to my knowledge. But I don't see why you cannot implement your own Valve. Of course, any suggestion is welcome unless someone else has any other suggestions? > Olivier > > [0] > https://httpd.apache.org/docs/current/mod/mod_headers.html#requestheader > [1] > http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_set_header > [2] I know it is possible to develop a quite simple custom ServletFilter > to wrap the request with a custom HttpServletRequest wrapper, but I'm > looking for a zero development possibility. For those of your reading > this discussion later and looking for a development solution, you can > find inspiration in the following github repo that you can adapt to > handle removal > https://github.com/lonelyplanet/tomcat-request-header-filter > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
