5 Replies Latest reply on Jun 18, 2014 11:38 AM by urvish parikh

    Unable to hide 'x-powered-by' header

    Ben Ashmead Newbie

      Hi,

       

      I'm trying to harden our AS7 servers and strip out any extraneous headers that could reveal vulnerabilities - I've been using the guide here: http://blog.csnc.ch/2012/02/jboss-7-1-web-server-hardening/

       

      My standalone.xml currently looks like this:

       

              <subsystem xmlns="urn:jboss:domain:web:1.1" default-virtual-server="default-host" native="false">

                  <connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>

                  <connector name="AJP" protocol="AJP/1.3" scheme="http" socket-binding="ajp"/>

                      <configuration>

                              <jsp-configuration display-source-fragment="false" x-powered-by="false"/>

                      </configuration>

                  <virtual-server name="default-host" enable-welcome-root="true">

                      <alias name="localhost"/>

                      <alias name="example.com"/>

                  </virtual-server>

              </subsystem>

       

      JBoss appears to start without any errors, but I still get these headers when I request a page from the app:

       

      1. Connection:close
      2. Content-Encoding:gzip
      3. Content-Type:text/html;charset=UTF-8
      4. Date:Tue, 14 Aug 2012 15:34:02 GMT
      5. Server:Apache
      6. Transfer-Encoding:chunked
      7. Vary:Accept-Encoding
      8. X-Powered-By:JSF/1.2

       

      I'm trying to get rid of the 'X-Powered-By:' header altogether. Any ideas what I'm doing wrong?

       

      Thanks.