Make sure the ErrorReportValve is last in the <Host> ... </Host> tags.
Also, if you do custom pages, the Valve has "required "attributes for that as
well.
Thanks!
-Joey
[cid:39c0cc87-3115-44eb-9bc3-7ae7d90c3f0e]
Joey Cochran
Systems Administrator II
Middleware Developer
Information Technology Division
Middle Tennessee State University
615-898-2714
www.mtsu.edu
________________________________
From: Jerome A. Wendell <[email protected]>
Sent: Wednesday, October 22, 2025 10:08 AM
To: 'Tomcat Users List' <[email protected]>
Subject: [EXTERNAL] RE: Tomcat Version Number on Error Pages
Markus,
Thanks for your reply. I tried doing just as you suggested, and I could never
get it to work.
Thanks,
Jerome A. Wendell
-----Original Message-----
From: [email protected] <[email protected]>
Sent: Wednesday, October 22, 2025 11:04 AM
To: [email protected]
Subject: Re: Tomcat Version Number on Error Pages
Maybe in addition: define in web.xml custom error pages:
<!-- Custom error page for errors -->
<error-page>
<error-code>400</error-code>
<location>/error400.html</location>
</error-page>
<error-page>
<error-code>401</error-code>
<location>/error401.html</location>
</error-page>
<error-page>
<error-code>403</error-code>
<location>/error403.html</location>
</error-page>
<error-page>
<error-code>404</error-code>
<location>/error404.html</location>
</error-page>
<error-page>
<error-code>405</error-code>
<location>/error405.html</location>
</error-page>
<error-page>
<error-code>500</error-code>
<location>/error500.html</location>
</error-page>
Make sure to create the appropriate files.
Best regards
Markus
Am 22.10.25 um 16:54 schrieb Jerome A. Wendell:
> Noelette,
>
> Thank you very much for your quick reply and the information. I really
> appreciate it. I will give this a try.
>
> Thanks,
>
> Jerome A. Wendell
>
>
> -----Original Message-----
> From: Noelette Stout<[email protected]>
> Sent: Wednesday, October 22, 2025 10:48 AM
> To: Tomcat Users List<[email protected]>
> Subject: Re: Tomcat Version Number on Error Pages
>
> You can add this valve to your server.xml to keep it from showing the version
> info.
>
> <Valve className="org.apache.catalina.valves.ErrorReportValve"
> showReport="false" showServerInfo="false" />
>
> Noelette
>
> On Wed, Oct 22, 2025 at 8:44 AM Jerome A.
> Wendell<[email protected]>
> wrote:
>
>> We use Tomcat on a website that requires subscriptions, so payments
>> are made on the website. With the new PCI Compliance regulations and
>> scans, it appears that the version of Tomcat used being displayed on
>> the error pages is a vulnerability. I have tried creating custom
>> error pages based on information found from searching the web on this
>> issue, but the solutions that I have tried do not work. Is there a
>> way to prevent the Tomcat version number from being displayed on the
>> error pages?
>>
>>
>>
>> Thanks,
>>
>>
>>
>> Jerome A. Wendell
>>
>>
>>
>>
> --
> Noelette Stout
> Enterprise Access Manager
> Senior Application Administrator
> Idaho State University
> E-mail: stounoel "at" isu "dot" edu
> Desk: 208-282-2554
> *I am sending this message now because it suits me, but I don’t expect
> that you will read, respond to, or act on it outside of comfortable
> hours for your time zone.*
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:[email protected]
> For additional commands, e-mail:[email protected]
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
