On 13/08/2009 12:18, acastanheira2001 wrote:
Hi,
Can you tell me what response headers do I need to suppress in order to
improve security?
I'm sure it'll start a vigorous discussion if I say it, but IMHO there's
not much of an improvement to security to be gained from hiding these
headers.
Response headers example:
Server: Apache-Coyote
x-powered-by:<My server information>
I think the above headers inform too much, so I will remove them.
See attribute "xpoweredBy"
http://tomcat.apache.org/tomcat-6.0-doc/config/http.html
to turn it off.
Am I paranoid, or is it a good practice?
Paranoid. What level of security you really need and who has access to
the website?
Depending on what your URLs look like (e.g. ".jsp"), it might be easy to
eliminate a few types of server - and obfuscation doesn't tend to
improve security more than it hides real security problems.
Tools like nmap can make guessing system info fairly trivial.
You're probably better off expending time on real security issues, like
ensuring that form content (e.g. search fields) are properly sanitised
before being redisplayed.
p
Thanks,
André
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
