Arend P. van der Veen schrieb: > Does anybody know if it is possible to hide the identity of a tomcat web > server? When I do a Nessus scan I get the following: > > Server: Apache-Coyote/1.1 > > I have already looked at the Tomcat configuration documentation and > search google to find the answer but did not have any luck. > > Is it possible to mask this so that hackers do not know what type of web > server I am running?
Chuck already pointed you to the relevant part of the docs. Nevertheless: changing the value of the Connector's server attribute alone won't help you much. For example, if you don't prevent the standard error pages from being used. Those contain much more detailed and much more easily accessible information about Tomcat than the Server HTTP-header does. BTW: I wouldn't consider hiding the server type a really relevant increase of security. If there is a security flaw in Tomcat, an attacker will probably simply try to use an exploit for this flaw - regardless what the server claims to be. If it's an exploitable Tomcat, it will work. If it isn't, he'll try something else. Regards mks --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
