You can add this valve to your server.xml to keep it from showing the
version info.
<Valve className="org.apache.catalina.valves.ErrorReportValve"
showReport="false" showServerInfo="false" />
Noelette
On Wed, Oct 22, 2025 at 8:44 AM Jerome A. Wendell <[email protected]>
wrote:
> We use Tomcat on a website that requires subscriptions, so payments are
> made
> on the website. With the new PCI Compliance regulations and scans, it
> appears that the version of Tomcat used being displayed on the error pages
> is a vulnerability. I have tried creating custom error pages based on
> information found from searching the web on this issue, but the solutions
> that I have tried do not work. Is there a way to prevent the Tomcat
> version
> number from being displayed on the error pages?
>
>
>
> Thanks,
>
>
>
> Jerome A. Wendell
>
>
>
>
--
Noelette Stout
Enterprise Access Manager
Senior Application Administrator
Idaho State University
E-mail: stounoel "at" isu "dot" edu
Desk: 208-282-2554
*I am sending this message now because it suits me, but I don’t expect that
you will read, respond to, or act on it outside of comfortable hours for
your time zone.*
