Hi Cris, try to add following to your web.xml <error-page> <error-code>404</error-code> <!-- HTTP status code --> <error-page>/error404.html</error-page> <!-- static page, servlet URL or JSP --> </error-page> regards Leon
On Wed, May 2, 2018 at 9:27 PM, Berneburg, Cris J. - US <cberneb...@caci.com > wrote: > We are getting dinged by a vulnerability scan for the default not-found > error page being returned by Tomcat for a Status 404. > > On my dev server when requesting an invalid URL, Tomcat returns a Status > 404 page that displays the Tomcat version. Right, I need to do something > about that. > > However, I can't find where the error-page for 404 is defined. It's not > defined in: > - webapps/ROOT/WEB-INF/web.xml > - conf/web.xml > - conf/server.xml > - conf/context.xml > > Also, I can't find a notFound or error page either. > > How do I get rid of or override the default error / 404 / not-found page > if I can't find it or where it is currently defined? Also, how is Tomcat > returning the default 404 error page if it does not exist? I hope it's not > hardcoded in a servlet response. > > FYI, we're going to remove the ROOT, docs, and examples folders to > mitigate other scan findings. > > And we're using Tomcat 6.0.37 (ahem). > > -- > Cris Berneburg > CACI Lead Software Engineer > >