By default the HTTP "server" header for Spring Boot applications with embedded Tomcat is:
Server → Apache-Coyote/1.1
How can it in Spring Boot be achieved to use another (custom) "server" header?
For Tomcat itself, it can be configured at the <Connector>
element in XML via the server
attribute:
From https://tomcat.apache.org/tomcat-8.0-doc/security-howto.html#Connectors :
The server attribute controls the value of the Server HTTP header. The default value of this header for Tomcat 4.1.x to 8.0.x is Apache-Coyote/1.1. This header can provide limited information to both legitimate clients and attackers.
But attackers will still know that this is a Tomcat server.
You can set custom headers using the StaticHeadersWriter in your Security config, here's a Java config example:
public class SecurityConfig extends WebSecurityConfigurerAdapter {
protected void configure(HttpSecurity http) throws Exception {
http
.headers()
.addHeaderWriter(new StaticHeadersWriter("Server","here to serve you"))
....
}
...
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With