tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig McClanahan" <cmcclana...@mytownnet.com>
Subject Re: Servlet-Engine response header field
Date Wed, 27 Oct 1999 18:41:39 GMT
David Brownell wrote:

> Talking about security ...
>
> Can we get rid of the string in the servlet response which tells
> attackers about the version of servlet API, version of Java,
> version of JSP, JVM vendor and version, and OS version?
>
> It's generally considered bad form to invite crackers in with
> quite that level of open door.  Even the crackers prefer to
> have a bit of a challenge, after all.
>
> Surely you'd prefer to know that crackers attacking your site
> were well beyond the "script kiddie" developmental stage? :-)
>
> Seriously -- that's information that should _not_ be disclosed
> without a compelling need to do so.
>

Rather than arbitrarily getting rid of it, I'd suggest we make it a
configurable option whether these headers get created or not.  In some
environments (security not an issue, intranet application where you feel
comfortable you're not going to have insiders out to get you, debugging
Tomcat  :-), etc.) the information can be quite useful.

Configurability is the approach that the HTTP/1.1 spec suggests for
things like the "Server" header (see Section 14.38 of RFC 2616).

>
> - Dave

Craig McClanahan



Mime
View raw message