2.4 Disable X-Powered-By HTTP Header and Rename the Server Value for all Connectors

Information

The xpoweredBy setting determines if Apache Tomcat will advertise its presence via the X-Powered-By HTTP header. It is recommended that this value be set to false. The server attribute overrides the default value that is sent down in the HTTP header further masking Apache Tomcat.

Rationale:

Preventing Tomcat from advertising its presence in this manner may increase the complexity for attackers to determine which vulnerabilities affect the server platform.

Solution

Perform the following to prevent Tomcat from advertising its presence via the X-PoweredBy HTTP header.

Add the xpoweredBy attribute to each Connector specified in $CATALINA_HOME/conf/server.xml. Set the xpoweredBy attributes value to false.

<Connector
...
xpoweredBy='false' />

Alternatively, ensure the xpoweredBy attribute for each Connector specified in $CATALINA_HOME/conf/server.xml is absent.

Add the server attribute to each Connector specified in $CATALINA_HOME/conf/server.xml. Set the server attribute value to anything except a blank string.

Default Value:

The default value is false.

References:

https://tomcat.apache.org/tomcat-9.0-doc/config/http.html

See Also

https://workbench.cisecurity.org/files/2509

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-30, CSCv7|13.2

Plugin: Unix

Control ID: 4729a88fc6e3e4fa65b6d50b4593b5b2a6984f697175d6a46d8b5a1810cb49c1