How to Hide Apache Tomcat Version Number from Error Pages

by Ramesh Natarajan on August 15, 2013

Question: I’m running Apache Tomacat server. How do I hide the Tomcat version number from the error pages?

Answer: Apache Tomcat server is for Java Servlet and JSP. When you call a page that doesn’t exist in the tomcat server, or when an existing page returns an error, the tomcat server will display the version number as shown below. This might be a security risk, especially if you are running an old Tomcat server that has some known exploits.

For some reason, if you can’t upgrade the Tomcat server to the latest version, and you just want to hide the version number from the error pages, do the steps mentioned below.

Go to $CATALINA_HOME/lib, and create the org/apache/catalina/util directory under here. In the following example, /home/tomcat is the $CATALINA_HOME

cd /home/tomcat/lib

mkdir -p org/apache/catalina/util

Go to this newly created directory, and create a file, and add the parameter as shown below. Set the value of this parameter to anything you like.

cd org/apache/catalina/util

$ vi Tomcat Version X

Afer this restart the tomcat server.

./ stop
./ start

Now, if you go the error page, you’ll not see the tomcat version number. Instead, you’ll see the text you’ve set for the parameter.

After you do the above, if you want to see the Tomcat version number, you can still do it from the command line, using the script as shown below.

Server version: Apache Tomcat/7.0.35
Server number:

If you enjoyed this article, you might also like..

  1. 50 Linux Sysadmin Tutorials
  2. 50 Most Frequently Used Linux Commands (With Examples)
  3. Top 25 Best Linux Performance Monitoring and Debugging Tools
  4. Mommy, I found it! – 15 Practical Linux Find Command Examples
  5. Linux 101 Hacks 2nd Edition eBook Linux 101 Hacks Book

Bash 101 Hacks Book Sed and Awk 101 Hacks Book Nagios Core 3 Book Vim 101 Hacks Book

{ 8 comments… read them below or add one }

1 Sys. student August 15, 2013 at 8:39 am

How to install tomcat from the beginning on a cPanel server (CentOS 6.x 64-bit with cPanel installed) ?

2 John August 15, 2013 at 9:37 pm

Thanks. How can I do the same thing for Apache webserver?

3 sugatang itlog August 16, 2013 at 12:00 am

John, in you apache config (httpd.conf for CentOS), change the following to this … and reload or restart apache.

ServerTokens Prod
ServerSignature Off

thanks and more power TheGeekStuff!

4 Bernhard August 17, 2013 at 5:12 am

There are several tools to retrieve the server and version number with omitted Server header (this is called fingerprinting). Therefore solely removing the version number is not going to stop many attackers.

5 rajesh August 18, 2013 at 10:38 pm

I agree with you. Can you suggest some methods to prevent retrieval of server and version number.

6 Sunil Rodrigues October 22, 2013 at 12:51 pm

Had to update catalina.jar on windows as described in this oWASp document.

7 Kevin March 20, 2014 at 5:55 pm

Create a custom error page. You can then control what is displayed as well as the formatting.

8 Marcelo October 10, 2014 at 8:26 am

Amazing solution!
Thanks a lot!

Leave a Comment

Previous post:

Next post: