2
I have a API Rest running on a server Tomcat. If I try to directly access the API and some error happens to the error page of Tomcat is displayed:
Notice that at the end is the following passage: Apache Tomcat/8.0.30.
Given the situation I have some questions:
4
In itself, it’s not a security breach, but it’s still a good idea to hide that information. Because if in the future vulnerabilities are discovered in this particular version, and your service is not upgraded to a safer version of Tomcat (which ideally should not occur, but in practice can, for various reasons), then "announce to the world" that you are running a vulnerable service would facilitate the work of any attackers targeting your server.
To hide this information, one can follow the procedure described on that page or alternatively the one described on the OWASP website (includes other suggestions to keep your instance safe, worth reading):
Find the file catalina.jar (is inside the folder specified as CATALINA_HOME, in the sub-folder server\lib) and extract from it the file
org/apache/catalina/util/ServerInfo.properties
Update this file by replacing (or adding) the server.info with some string of your choice. Example:
server.info=Apache Tomcat
Of the two:
lib\org\apache\catalina\util inside CATALINA_HOME and place the modified version of ServerInfo.properties there.Restart the Tomcat.
This should cause the error messages to display the string you chose (in the above example, Apache Tomcat) instead of the version number.
Browser other questions tagged security-guard server tomcat
You are not signed in. Login or sign up in order to post.
Outstanding!!!!!!
– Avelino
Many thanks @mgibsonbr worked perfectly.
– DiegoAugusto
Excellent!!! I made it here and it worked great!! Thanks!! Regina Deboni
– user130713