Return-Path: X-Original-To: apmail-tomcat-users-archive@www.apache.org Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id EDC1D107B2 for ; Fri, 10 Jan 2014 23:28:30 +0000 (UTC) Received: (qmail 63001 invoked by uid 500); 10 Jan 2014 23:28:27 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 62863 invoked by uid 500); 10 Jan 2014 23:28:27 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 62854 invoked by uid 99); 10 Jan 2014 23:28:27 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 10 Jan 2014 23:28:27 +0000 X-ASF-Spam-Status: No, hits=1.5 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: local policy includes SPF record at spf.trusted-forwarder.org) Received: from [209.85.219.41] (HELO mail-oa0-f41.google.com) (209.85.219.41) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 10 Jan 2014 23:28:22 +0000 Received: by mail-oa0-f41.google.com with SMTP id i4so4801857oah.28 for ; Fri, 10 Jan 2014 15:28:01 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:date:message-id:subject:from:to :content-type; bh=lR0HlLdZKSbKnaRjM483t/qJupD/9RY57InRTKmsy5o=; b=g+H4FDkahCnydJFTmps9dnBQ0uXzGhmFQaRnnIigzhQx6uwAs9Co2EUShdUPqWLjx+ tyKrlLbOofdLRGLmaGSkUC5iaMBLjhaEMcsQbZlsjiUS9Gpc/UvCAY1+zOzTTRCeEdOc T2JuxiielCWAqWco2HgofZkE3VKkaQv2TWEUF3MGWaLshSDbwCGwstVMSBvdSOpLm6nC sKSGBjtkmxvUES4SrNmZhA1PRF+Ul4+gf8meIi3LUSaiCpfyLvsq8ch52zwkgUEZijkD jmxLuERKMjYRurPbTjLiaP6FpO1/FxZGVIpamumgcJsY3swiKCdCBi3a8ApYN5T4tpBP njYA== X-Gm-Message-State: ALoCoQn/UxMLZwAcoEPFdZmVsacjcLkFP5kkv60LozIBPlcZGU8hZZLHwpzby+d9uLBLK7z6plAE MIME-Version: 1.0 X-Received: by 10.60.143.98 with SMTP id sd2mr4918596oeb.63.1389396481057; Fri, 10 Jan 2014 15:28:01 -0800 (PST) Received: by 10.76.125.40 with HTTP; Fri, 10 Jan 2014 15:28:00 -0800 (PST) Date: Fri, 10 Jan 2014 15:28:00 -0800 Message-ID: Subject: =?windows-1252?Q?=93exception=2Dmessage=94_header_reveals_path_to_docum?= =?windows-1252?Q?ent_root_in_404_response=2E?= From: August Kleimo To: users@tomcat.apache.org Content-Type: multipart/alternative; boundary=047d7b4725a8b4bf5a04efa613cb X-Virus-Checked: Checked by ClamAV on apache.org --047d7b4725a8b4bf5a04efa613cb Content-Type: text/plain; charset=ISO-8859-1 I'm failing a PCI compliance scan because my Tomcat Version 7.0.20 server is revealing the path to the document web root in an "exception-message" header when a missing page is requested. Does anyone know of way to get rid of this header from the response? Note: I'm running Railo 4.1.2 on top of Tomcat ... but I think this header is coming from Tomcat. $ curl -I http://mydomain.com/this-page-does-not-exist.html HTTP/1.1 404 Not Found Date: Fri, 10 Jan 2014 23:23:22 GMT Server: Apache-Coyote/1.1 exception-message: Page /this-page-does-not-exist.html [/var/www/html/this-page-does-not-exist.html] not found Content-Type: text/html;charset=UTF-8 Content-Length: 44 Set-Cookie: cfid=686ea13b-ef35-43c3-b6e4-08270bbb4718;Path=/;Expires=Sun, 10-Jan-2044 07:14:52 GMT;HTTPOnly Set-Cookie: cftoken=0;Path=/;Expires=Sun, 10-Jan-2044 07:14:52 GMT;HTTPOnly Connection: close --047d7b4725a8b4bf5a04efa613cb--