https://issues.apache.org/bugzilla/show_bug.cgi?id=48006
olivier dupuy <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|INVALID | --- Comment #2 from olivier dupuy <[email protected]> 2009-10-15 12:01:07 UTC --- True that it's there in web.xml and even in the 5.5 version. I agree that it is a security hole IN PRODUCTION but for a development and test environment this is not a concern. Moreover you do not have the precise Tomcat version and the precise JVM version You have this header Server Apache-Coyote/1.1 and this one X-Powered-By JSP/2.1 This should be like IMHO to be really useful something such as Server Apache-Coyote/1.1 X-Powered-By JSP/2.1 Tomcat/5.5.28 JRE/SUN/1.5.0_12-b04) And if you consider this to be a security hole then the the server header is also one and should be banned too for the same reasons. Sorry to insist but the operation teams are not always what they should be and this information saves time for some development teams like mine. I am perfectly OK with a default value of "false" in web.xml to not show the header for the reasons mentioned by Tim. Thanks to consider my point of view Olivier -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
