Back before PCI, we used to be able to display things like the type and version of the web server software we were running on our sites. We wanted everyone to know that we were using Apache or IIS or Netscape Enterprise Server. We wanted to make sure that NetCraft could view that information, too. Software writers, both commercial and open-source, easily accomodated our wishes, setting version information up right in the header. For some, outputting this information in a Server header and footer page was not enough, so a new HTTP Header was introduced called "X-Powered-By". Unfortunately, displaying the OS, Web, or App Server information is considered an information disclosure vulnerability now so we all need to now configure our servers so this information is not provided.
JBoss inserts an X-Powered-By header in every HTTP response header; typically providing juicy bits of information like the Servlet specification that JBoss complies with, the JBoss app server version number, a build number, and the version of tomcat or jboss web that the app server utilizes. If you need to know how to suppress the X-Powered-By header in JBoss, read on and note that the technique varies depending upon the version of JBoss you are running.
JBoss 4.2.X
Suppressing the X-Powered-By header in JBoss 4.2.x can be done by modifying the web.xml file located in ${jboss.home}/server/${server.instance.name}/deploy/jboss-web.deployer/conf/. For example, if you are using the 'default' instance and running jboss 4.2.3 from /usr/local, the path to the configuration file would be /usr/local/jboss-4.2.3.GA/server/default/deploy/jboss-web.deployer/conf/. Locate the Common Filter Configuration line (line 25 on a stock 'default' server instance configuration file) and comment out the lines for the init-param, param-name, and param-value entries. Example below
<!-- ================== Common filter Configuration ==================== -->
<filter>
<filter-name>CommonHeadersFilter</filter-name>
<filter-class>org.jboss.web.tomcat.filters.ReplyHeaderFilter</filter-class>
<!-- <init-param> -->
<!-- <param-name>X-Powered-By</param-name> -->
<!-- <param-value>Servlet 2.4; JBoss-4.2.3.GA (build: SVNTag=JBoss_4_2_3_GA date=200807 181439)/JBossWeb-2.0</param-value> -->
<!-- </init-param> -->
</filter>
Restart JBoss and the header will no longer show up.
JBoss 5.0
The web.xml file that needs to be updated is located in a different location than with JBoss 4,2 but the technique is the same. To suppress the X-Powered-By header under JBoss 5.0, comment out the init-param, param-name, and param-value line entries from the web.xml located in ${jboss.home}server/${server.instance.name}/deployers/jbossweb.deployer/.
<!-- ================== Common filter Configuration ==================== -->
<filter>
<filter-name>CommonHeadersFilter</filter-name>
<filter-class>
org.jboss.web.tomcat.filters.ReplyHeaderFilter</filter-class>
<!-- <init-param> -->
<!-- <param-name>X-Powered-By</param-name> -->
<!-- <param-value>Servlet 2.5; JBoss-5.0/JBossWeb-2.1</param-value> -->
<!-- </init-param> -->
Once you have made the configuration changes, restart JBoss so they can take effect.
JBoss 6.0
In order to suppress the X-Powered-By header in JBoss 6, you no longer make changes to web.xml files but instead modify the catalina.properties file included with your server instance. Edit the catalina.properties file located in ${jboss.home}/server/${server.instance.name}/deploy/jbossweb.sar/. Locate the property named: org.apache.catalina.connector.X_POWERED_BY and set its value to false. Restart the server and you're all set.
Related Content
Tomcat/JBoss: Suppressing Server Identity - Part One
Tomcat/JBoss: Suppressing Server Identity - Part Two
