remove server header tomcat

Question

I am able to rename the value of org.apache.coyote.http11.Http11Protocol.SERVER to anything else, so the HTTP-Response-Header contains something like:

Server:Apache

instead of the default

Server:Apache-Coyote/1.1

Using a empty value for org.apache.coyote.http11.Http11Protocol.SERVER does not remove the Server-Header.

How can I remove the Server-Header from my responses?

Answer 1

You can modify your tomcat server.xml and add a "server" option and set it to whatever you want. The server option should be set for any http or ssl connectors that you have running. For example, below is a sample HTTP Connector configuration from an example server.xml file

<Connector port="8080" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="8443" enableLookups="false" xpoweredby="false" server="Web"/>

Answer 2

Short answer - you can't remove the header, but you should modify it (see other answers).

The server header is defined in the RFC and it is mandatory. (not defined as optional in the spec)

Taken from http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.38

14.38 Server
The Server response-header field contains information about the software used by the origin server to handle the request.
The field can contain multiple product tokens (section 3.8) and comments identifying the server and any significant subproducts. The product tokens are listed in order of their significance for identifying the application.

If the response is being forwarded through a proxy, the proxy application MUST NOT modify the Server response-header. Instead, it SHOULD include a Via field (as described in section 14.45).

  Note: Revealing the specific software version of the server might
  allow the server machine to become more vulnerable to attacks
  against software that is known to contain security holes. Server
  implementors are encouraged to make this field a configurable
  option.