Re: Tomcat Version Number on Error Pages

[i...@flyingfischer.ch.INVALID]

Maybe in addition: define in web.xml custom error pages:

    <!-- Custom error page for errors -->
    <error-page>
        <error-code>400</error-code>
        <location>/error400.html</location>
    </error-page>
    <error-page>
        <error-code>401</error-code>
        <location>/error401.html</location>
    </error-page>
    <error-page>
        <error-code>403</error-code>
        <location>/error403.html</location>
    </error-page>
    <error-page>
        <error-code>404</error-code>
        <location>/error404.html</location>
    </error-page>
    <error-page>
        <error-code>405</error-code>
        <location>/error405.html</location>
    </error-page>
    <error-page>
        <error-code>500</error-code>
        <location>/error500.html</location>
    </error-page>

Make sure to create the appropriate files.

Best regards
Markus


Am 22.10.25 um 16:54 schrieb Jerome A. Wendell:

Noelette,

Thank you very much for your quick reply and the information.  I really 
appreciate it.  I will give this a try.

Thanks,

Jerome A. Wendell


-----Original Message-----

From: Noelette Stout<stoun...@isu.edu> Sent: Wednesday, October 22, 2025 10:48 AM

To: Tomcat Users List<users@tomcat.apache.org>
Subject: Re: Tomcat Version Number on Error Pages

You can add this valve to your server.xml to keep it from showing the version 
info.

<Valve className="org.apache.catalina.valves.ErrorReportValve"
                showReport="false" showServerInfo="false" />

Noelette

On Wed, Oct 22, 2025 at 8:44 AM Jerome A. Wendell<jawend...@suddenlink.net>
wrote:

We use Tomcat on a website that requires subscriptions, so payments
are made on the website.  With the new PCI Compliance regulations and
scans, it appears that the version of Tomcat used being displayed on
the error pages is a vulnerability.  I have tried creating custom
error pages based on information found from searching the web on this
issue, but the solutions that I have tried do not work.  Is there a
way to prevent the Tomcat version number from being displayed on the
error pages?



Thanks,



Jerome A. Wendell

--
Noelette Stout
Enterprise Access Manager
Senior Application Administrator
Idaho State University
E-mail: stounoel "at" isu "dot" edu
Desk: 208-282-2554
*I am sending this message now because it suits me, but I don’t expect that you 
will read, respond to, or act on it outside of comfortable hours for your time 
zone.*


---------------------------------------------------------------------
To unsubscribe, e-mail:users-unsubscr...@tomcat.apache.org
For additional commands, e-mail:users-h...@tomcat.apache.org