tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Markus Schönhaber <>
Subject Re: Server Identity
Date Sat, 15 Sep 2007 15:42:35 GMT
Arend P. van der Veen schrieb:

> Does anybody know if it is possible to hide the identity of a tomcat web 
> server?  When I do a Nessus scan I get the following:
> Server: Apache-Coyote/1.1
> I have already looked at the Tomcat configuration documentation and 
> search google to find the answer but did not have any luck.
> Is it possible to mask this so that hackers do not know what type of web 
> server I am running?

Chuck already pointed you to the relevant part of the docs.

Nevertheless: changing the value of the Connector's server attribute
alone won't help you much. For example, if you don't prevent the
standard error pages from being used. Those contain much more detailed
and much more easily accessible information about Tomcat than the Server
HTTP-header does.

BTW: I wouldn't consider hiding the server type a really relevant
increase of security. If there is a security flaw in Tomcat, an attacker
will probably simply try to use an exploit for this flaw - regardless
what the server claims to be. If it's an exploitable Tomcat, it will
work. If it isn't, he'll try something else.


To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message