By default, Tomcat's error pages disclose both the existence of Tomcat and the exact version of the container that's handling the requests. This is nice for development, but in a production context this information is a potential security hole and it would be nice to disable it.
Thus I would like to know what the best (as in most straightforward/comprehensive) solution is to completely suppress Tomcat's default error pages. I am aware of the <error-page>
option in web.xml, but it seems to fail on both desired counts, partly because I would have to list the same alternative error page many times (one for each response code I want to handle), and because this strikes me as possibly not 100% robust; if an attacker can somehow get an error code returned that I haven't explicitly listed, they would get the default error page.
Ideally, a simple option to set a universal custom error page, or to flat out disable sending any HTML along with the error code in the default error page, would be best. If neither of those options are possible, I'd be interested in finding out what the typical way to implement this functionality is (bonus points for discussing/showing why those hypothetical options don't exist, since it seems my requirement would be quite standard for anyone using Tomcat in production...).
The simplest and most comprehensive way to do this is using the ErrorReportValve - just add the following lines to the Host section of your server.xml (where you should already have the AccessLogValve:
<Valve className="org.apache.catalina.valves.ErrorReportValve"
showReport="false"
showServerInfo="false"/>
In this way you are hiding the server info and (because of the optional showReport=false) also the stack traces.
You can read more about this in the Security How To and in the documentation of the Error Report Valve.
<error-page>
is the right answer, but you don't want to just redirect all error codes to some generic message. You have to think about how you want to handle each error. If you're afraid you might miss one of the codes, check out the constants in the HttpServletResponse interface.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With