≡ Menu

How to Hide Apache Tomcat Version Number from Error Pages

Question: I’m running Apache Tomacat server. How do I hide the Tomcat version number from the error pages?

Answer: Apache Tomcat server is for Java Servlet and JSP. When you call a page that doesn’t exist in the tomcat server, or when an existing page returns an error, the tomcat server will display the version number as shown below. This might be a security risk, especially if you are running an old Tomcat server that has some known exploits.

For some reason, if you can’t upgrade the Tomcat server to the latest version, and you just want to hide the version number from the error pages, do the steps mentioned below.

Go to $CATALINA_HOME/lib, and create the org/apache/catalina/util directory under here. In the following example, /home/tomcat is the $CATALINA_HOME

cd /home/tomcat/lib

mkdir -p org/apache/catalina/util

Go to this newly created directory, and create a ServerInfo.properties file, and add the server.info parameter as shown below. Set the value of this parameter to anything you like.

cd org/apache/catalina/util

$ vi ServerInfo.properties
server.info=Apache Tomcat Version X

Afer this restart the tomcat server.

cd $CATALINA_HOME/bin
./catalina.sh stop
./catalina.sh start

Now, if you go the error page, you’ll not see the tomcat version number. Instead, you’ll see the text you’ve set for the server.info parameter.

After you do the above, if you want to see the Tomcat version number, you can still do it from the command line, using the version.sh script as shown below.

$ $CATALINA_HOME/bin/version.sh
..
Server version: Apache Tomcat/7.0.35
Server number:  7.0.35.0
..
Add your comment

If you enjoyed this article, you might also like..

  1. 50 Linux Sysadmin Tutorials
  2. 50 Most Frequently Used Linux Commands (With Examples)
  3. Top 25 Best Linux Performance Monitoring and Debugging Tools
  4. Mommy, I found it! – 15 Practical Linux Find Command Examples
  5. Linux 101 Hacks 2nd Edition eBook Linux 101 Hacks Book

Bash 101 Hacks Book Sed and Awk 101 Hacks Book Nagios Core 3 Book Vim 101 Hacks Book

Comments on this entry are closed.

  • Sys. student August 15, 2013, 8:39 am

    How to install tomcat from the beginning on a cPanel server (CentOS 6.x 64-bit with cPanel installed) ?

  • John August 15, 2013, 9:37 pm

    Thanks. How can I do the same thing for Apache webserver?

  • sugatang itlog August 16, 2013, 12:00 am

    John, in you apache config (httpd.conf for CentOS), change the following to this … and reload or restart apache.

    ServerTokens Prod
    ServerSignature Off

    thanks and more power TheGeekStuff!

  • Bernhard August 17, 2013, 5:12 am

    There are several tools to retrieve the server and version number with omitted Server header (this is called fingerprinting). Therefore solely removing the version number is not going to stop many attackers.

  • rajesh August 18, 2013, 10:38 pm

    Bernhard,
    I agree with you. Can you suggest some methods to prevent retrieval of server and version number.

  • Sunil Rodrigues October 22, 2013, 12:51 pm

    Had to update catalina.jar on windows as described in this oWASp document.

  • Kevin March 20, 2014, 5:55 pm

    Create a custom error page. You can then control what is displayed as well as the formatting.

  • Marcelo October 10, 2014, 8:26 am

    Amazing solution!
    Thanks a lot!

  • Vetha Manoj February 13, 2015, 6:54 am

    Hi,

    Thank you. Excellent Solution.

    How Can I do the same thing for CATALINA_BASE ?

    It works fine with CATALINA_HOME.

    Thanks in Advance.

  • Abdul Rahim March 2, 2016, 3:21 pm

    Does not work on Tomcat 8.0.30

  • Abhishek December 19, 2016, 5:57 am

    Thanks a lot…