> From: Dave Girardin [mailto:[EMAIL PROTECTED] > Subject: How to turn off Etag headers? > > Impact: Among the file attributes included in the header > is the file inode number that is returned to a client.
Although paranoia is often helpful when analyzing security risks, I think your assessment team may have gone overboard on this one. Looking at the source code for DefaultServlet and ResourceAttributes, only a weak ETag is normally sent out, consisting of nothing but the file size and last modified time - unlike httpd, it does not include the inode number. There is provision for a more detailed ETag (a strong ETag), but as far as I can tell, no use is made of it. There are three spots is in DefaultServlet that set the ETag header, and none of them appear to be configurable; if your security team insists on disabling ETags, it would be simple to just comment out those three lines. There's a related article here: http://blog.bcarlso.net/articles/2007/10/19/tomcat-weak-etags-and-javascript-css-caching but the examples given contain several errors, so take it with a grain of salt. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
