Summary: | Implement the header X-Powered-By suggested by the servlet specification | ||
---|---|---|---|
Product: | Tomcat 6 | Reporter: | olivier dupuy <opldupuy> |
Component: | Catalina | Assignee: | Tomcat Developers Mailing List <dev> |
Status: | RESOLVED FIXED | ||
Severity: | enhancement | ||
Priority: | P2 | ||
Version: | 6.0.20 | ||
Target Milestone: | default | ||
Hardware: | All | ||
OS: | All | ||
See Also: | https://issues.apache.org/bugzilla/show_bug.cgi?id=48004 |
Description
olivier dupuy
2009-10-15 11:34:52 UTC
This is already available in conf/web.xml - default is off since its a waste of bandwidth and a security hole. (information disclosure) True that it's there in web.xml and even in the 5.5 version. I agree that it is a security hole IN PRODUCTION but for a development and test environment this is not a concern. Moreover you do not have the precise Tomcat version and the precise JVM version You have this header Server Apache-Coyote/1.1 and this one X-Powered-By JSP/2.1 This should be like IMHO to be really useful something such as Server Apache-Coyote/1.1 X-Powered-By JSP/2.1 Tomcat/5.5.28 JRE/SUN/1.5.0_12-b04) And if you consider this to be a security hole then the the server header is also one and should be banned too for the same reasons. Sorry to insist but the operation teams are not always what they should be and this information saves time for some development teams like mine. I am perfectly OK with a default value of "false" in web.xml to not show the header for the reasons mentioned by Tim. Thanks to consider my point of view Olivier Note that you can modify the server header to display anything you want to. The updated X-Powered-By header has been fixed in trunk and proposed for 6.0.x |