Configure tomcat web server to prevent information leakage:

Problem Description: 

This information can help an attacker gain a greater understanding of the systems in use and potentially develop further attacks targeted at the specific version of IIS. An attacker might use the disclosed information to harvest specific security vulnerabilities for the version identified.

 

 

Solution:

Configure our tomcat web server to prevent information leakage from the SERVER header of its HTTP response.

Steps:

  1. Go to the tomcat install directory:

<install-directory>/conf/web.xml

  1. Comment the welcome pages index file in web.xml file: 

<!–
<welcome-file-list>
<welcome-file>index.html</welcome-file>
<welcome-file>index.htm</welcome-file>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>
–>

  1. Edit the file <install-directory>/conf/server.xml
  1. Search for the parameters <Host name=

Just below that line, insert the following parameters

<Valve className=”org.apache.catalina.valves.ErrorReportValve” showReport=”false” showServerInfo=”false” />

  1. Go to docs directiory <install-directory>/webapps/docs/WEB-INF/web.xml

Comment that tomcat documentation files.

  1. Bounce the tomcat servers.
  2. After all changes done the we have hide the tomcat server information leakage.

 

 

Recent Posts

Start typing and press Enter to search