tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Caldarale, Charles R" <Chuck.Caldar...@unisys.com>
Subject RE: "exception-message" header reveals path to document root in 404 response.
Date Sat, 11 Jan 2014 00:02:58 GMT
> From: August Kleimo [mailto:august@kleimo.com] 
> Subject: "exception-message" header reveals path to document root in 404 response.

> I'm failing a PCI compliance scan because my Tomcat Version 7.0.20 server
> is revealing the path to the document web root in an "exception-message"
> header when a missing page is requested.

If you were really worried about security, you wouldn't be running a version of Tomcat that's
2.5 years old.  Seriously, upgrade.

> Does anyone know of way to get rid of this header from the response?

Use your own custom error page.

> Note: I'm running Railo 4.1.2 on top of Tomcat ... but I think this header
> is coming from Tomcat.

Nope.  Here's Tomcat's standard 404 response:

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=utf-8
Content-Length: 1027
Date: Fri, 10 Jan 2014 23:59:34 GMT

Most likely Railo is using a "friendly" error page.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus
for use only by the intended recipient. If you received this in error, please contact the
sender and delete the e-mail and its attachments from all computers.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message