5 Replies Latest reply on Jun 18, 2014 11:38 AM by parikh.urvish

    Unable to hide 'x-powered-by' header

    benashmead

      Hi,

       

      I'm trying to harden our AS7 servers and strip out any extraneous headers that could reveal vulnerabilities - I've been using the guide here: http://blog.csnc.ch/2012/02/jboss-7-1-web-server-hardening/

       

      My standalone.xml currently looks like this:

       

              <subsystem xmlns="urn:jboss:domain:web:1.1" default-virtual-server="default-host" native="false">

                  <connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>

                  <connector name="AJP" protocol="AJP/1.3" scheme="http" socket-binding="ajp"/>

                      <configuration>

                              <jsp-configuration display-source-fragment="false" x-powered-by="false"/>

                      </configuration>

                  <virtual-server name="default-host" enable-welcome-root="true">

                      <alias name="localhost"/>

                      <alias name="example.com"/>

                  </virtual-server>

              </subsystem>

       

      JBoss appears to start without any errors, but I still get these headers when I request a page from the app:

       

      1. Connection:close
      2. Content-Encoding:gzip
      3. Content-Type:text/html;charset=UTF-8
      4. Date:Tue, 14 Aug 2012 15:34:02 GMT
      5. Server:Apache
      6. Transfer-Encoding:chunked
      7. Vary:Accept-Encoding
      8. X-Powered-By:JSF/1.2

       

      I'm trying to get rid of the 'X-Powered-By:' header altogether. Any ideas what I'm doing wrong?

       

      Thanks.

        • 1. Re: Unable to hide 'x-powered-by' header
          jaysensharma

          Hi,

           

             Which version of JBoss AS7 are you using?

           

             I tested the same on Jboss As7.1.2 and it worked fine

                         <configuration>

                                  <jsp-configuration display-source-fragment="false" x-powered-by="false"/>

                          </configuration>

           

             Also if you want to even prevent displaying the actual server name as "Server:Apache"  then run your JBoss with the following System property:

           

             -Dorg.apache.coyote.http11.Http11Protocol.SERVER="XYZServer"

          • 2. Re: Unable to hide 'x-powered-by' header
            benashmead

            Hi,

             

            Ah, we're on 7.1.1.Final, I wonder if this is something that's been fixed recently. I'll have a poke through the AS7 bug tracker and see what's changed - good to know my configuration is ok though, thanks!

            • 3. Re: Unable to hide 'x-powered-by' header
              parikh.urvish

              Is there any news we are also facing same issue on JBoss AS 7.1.1?

               

              Thx!

              • 4. Re: Unable to hide 'x-powered-by' header
                ctomc

                There is a known issue in 7.1.1 that jsp-configuration element is not properly processed by the server and as such none of the settings configured are applied.

                 

                It was fixed few days after the 7.1.1, just compile yourself 7.1.2 or 7.1.3 and you will be fine, or even better upgrade to WildFly 8

                • 5. Re: Unable to hide 'x-powered-by' header
                  parikh.urvish

                  Hi Tomaz,

                   

                  Thx for the reply, in fact we use custom jsf implementation that's why above mention property is not able to remove even on Jboss 7.1.2.

                  We use Mojarra jsf implementation so it required following context parameter in web.xml to remove  X-Powered-By:JSF/1.2.

                   

                  <context-param>

                      <param-name>com.sun.faces.sendPoweredByHeader</param-name>

                      <param-value>false</param-value>

                  </context-param>

                   

                  Urvish