Which is the best way to mask / hide tomcat version from error pages?

Question

Could somebody please let me know which of the following two approaches is recommended and why :

• Make the necessary changes to ServerInfo.properties

• Define "error-page" in web.xml

Answer 1

The answers are a bit outdated, so: If you're using a tomcat 6 or newer (I've tested on tomcat 7) you can use the ErrorReportValve to achieve the same in a way that is much easier to configure and maintain. Just add the following lines to the Host section of your server.xml (where you should already have the AccessLogValve:

<Valve className="org.apache.catalina.valves.ErrorReportValve"
    showReport="false" 
    showServerInfo="false"/>    

In this way you are hiding the server info and (because of the optional showReport=false) also the stack traces.

You can read more about this in the Security How To and in the documentation of the Error Report Valve.

Answer 2

I'd make the changes to ServerInfo.properties regardless - there may be other places to get the ServerInfo.properties version information than only error pages. (Maybe someone leaves up the default home page, samples, etc. and these may have it.)

Define error pages in your web app if you want - a quicker option may be to globally change your default error pages by specifying it in CATALINA_HOME/conf/web.xml - this will use your new specified error pages by default even if a developer forgets to specify error pages for their app.

Answer 3

Changing ServerInfo.properties is the most secure. If you for example have deployed a webapp on http://example.com/contextname, one could still get a 404 by http://example.com/blah or so. One could also get it programmatically by using a robot to Send a request with an unsupported method (which returns 503 error page).

That said, I honestly don't see any valid reasons to hide Tomcat version from it. This information actually adds no value for "normal users". It also doesn't stop any hacker from trying everything to get it down or exploit security holes (if there were any...). They don't worry about whether the version is displayed or not. For the "normal users" I would still use a custom error page which is a bit more integrated in the style of the webapp in question so that it is less "scary" and thus improves user experience.