Hi Cris,
try to add following to your web.xml
<error-page>
<error-code>404</error-code> <!-- HTTP status code -->
<error-page>/error404.html</error-page> <!-- static page, servlet
URL or JSP -->
</error-page>
regards
Leon
On Wed, May 2, 2018 at 9:27 PM, Berneburg, Cris J. - US <cberneb...@caci.com
> wrote:
> We are getting dinged by a vulnerability scan for the default not-found
> error page being returned by Tomcat for a Status 404.
>
> On my dev server when requesting an invalid URL, Tomcat returns a Status
> 404 page that displays the Tomcat version. Right, I need to do something
> about that.
>
> However, I can't find where the error-page for 404 is defined. It's not
> defined in:
> - webapps/ROOT/WEB-INF/web.xml
> - conf/web.xml
> - conf/server.xml
> - conf/context.xml
>
> Also, I can't find a notFound or error page either.
>
> How do I get rid of or override the default error / 404 / not-found page
> if I can't find it or where it is currently defined? Also, how is Tomcat
> returning the default 404 error page if it does not exist? I hope it's not
> hardcoded in a servlet response.
>
> FYI, we're going to remove the ROOT, docs, and examples folders to
> mitigate other scan findings.
>
> And we're using Tomcat 6.0.37 (ahem).
>
> --
> Cris Berneburg
> CACI Lead Software Engineer
>
>
