Documentation Center

Hiding the Apache Tomcat server header

By default, Apache Tomcat discloses version information in its response headers, which constitutes a security vulnerability: specific version information (which may be cached in public databases such as Shodan) can be helpful to attackers. To prevent version information from being exposed, specify an alternative server header string in server.xml.

Procedure

  1. In the conf subdirectory of the Apache Tomcat home directory, open server.xml for editing.
  2. Find the Connector element(s) that you use for HTTP and/or HTTPS.
  3. Ensure that this element contains a server attribute set to a string that does not disclose version information, for example, "TEST".
  4. Save and close server.xml.
  5. Restart Apache Tomcat.