Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Reducing information disclosure in Tomcat error pages

Tags:

error-handling

tomcat

web-config

By default, Tomcat's error pages disclose both the existence of Tomcat and the exact version of the container that's handling the requests. This is nice for development, but in a production context this information is a potential security hole and it would be nice to disable it.

Thus I would like to know what the best (as in most straightforward/comprehensive) solution is to completely suppress Tomcat's default error pages. I am aware of the <error-page> option in web.xml, but it seems to fail on both desired counts, partly because I would have to list the same alternative error page many times (one for each response code I want to handle), and because this strikes me as possibly not 100% robust; if an attacker can somehow get an error code returned that I haven't explicitly listed, they would get the default error page.

Ideally, a simple option to set a universal custom error page, or to flat out disable sending any HTML along with the error code in the default error page, would be best. If neither of those options are possible, I'd be interested in finding out what the typical way to implement this functionality is (bonus points for discussing/showing why those hypothetical options don't exist, since it seems my requirement would be quite standard for anyone using Tomcat in production...).

like image 802
Andrzej Doyle Avatar asked Oct 05 '09 13:10

Andrzej Doyle

2 Answers

The simplest and most comprehensive way to do this is using the ErrorReportValve - just add the following lines to the Host section of your server.xml (where you should already have the AccessLogValve:

<Valve className="org.apache.catalina.valves.ErrorReportValve"
    showReport="false" 
    showServerInfo="false"/>

In this way you are hiding the server info and (because of the optional showReport=false) also the stack traces.

You can read more about this in the Security How To and in the documentation of the Error Report Valve.

like image 76
Valentin Avatar answered Sep 22 '22 21:09

Valentin

<error-page> is the right answer, but you don't want to just redirect all error codes to some generic message. You have to think about how you want to handle each error. If you're afraid you might miss one of the codes, check out the constants in the HttpServletResponse interface.

like image 33
Jeremy Stein Avatar answered Sep 23 '22 21:09

Jeremy Stein
Sign in to Comment

Related questions

How to start tomcat using maven in debug mode
How many instances are created for a HTTP servlet
How to replace default hikari cp to tomcat pool on spring boot 2.0
How to set JAVA_HOME or CATALINA_HOME if I have more than 1 version used for Projects?
Apache Server Noob: no listening sockets available
How can I map multiple contexts to the same war file in Tomcat?
Unit-testing servlets [closed]
Scheduled task in a web application? [duplicate]
solr - java heap space out of memory
Difference between WebApplicationException and WebServiceException in the context of Jax-RS (Jersey)
IntelliJ: Automatically update resources
Deploying in tomcat with exception: Cannot find operation isServiced
Exception when running Tomcat server org.apache.catalina.deploy.WebXml addServlet
Server Location (Catalina Home) folder is not valid
How to add SSL certificates to Tomcat in Docker container?
Spring boot after https: The Tomcat connector configured to listen on port 8444 failed to start.
how to build server level custom error page in tomcat?
java.lang.IllegalStateException : Could not find backup for factory javax.faces.context.FacesContextFactory
Where is the "server log" for Tomcat when running externally from IntelliJ Ultimate?
Supporting Sessions Without Cookies in Tomcat

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!