We had a security audit recently and quite a few things were flagged up on our Jboss systems.

I've found information on most things but I can't seem to find any information on removing or masking the location field in the http headers.

This only seems to appear on 302 redirects.

we have servers with a hardware load balancer which nat's and masks internal ip's and ports.  So for example lets say jboss actually runs on port 14003, externally this appears as myjbosssite.company.com, which is on port 443 (HTTPS), the load balancer handles the certificate and also anyone going to port 80 gets redirected to https without the server getting involved.

Requests then get translated to port 14003 and passed to the server.

This all works fine but on a 302 redirect the server is putting the internal port numbers into the headers in the location field, so it looks like myjbosssite.company.com:14003 , is it possible to tell jboss not to do this, or to remove this field from headers, is it required? obviously the client can't be using it because there is nothing on that port available externally.