By default, JBoss application server will have its own identity in HTTP response header which is considered as information leakage vulnerability.
And, if you are working on PCI compliant environment then this is something you must fix.
Default Configuration will display Server banner as following HTTP response header
Server: Apache-Coyote/1.1
Implementation
- Go to JBoss/bin folder
- Add following in
standalone.confunderJAVA_OPTSvariable
-Dorg.apache.coyote.http11.Http11Protocol.SERVER=JbossSecureServer
Ex:
JAVA_OPTS="-Xms512m -Xmx512m -XX:MaxPermSize=256m -Xss168K -Djava.net.preferIPv4Stack=true -Dorg.jboss.resolver.warning=true -Dsun.rmi.dgc.client.gcInterval=3600000 -Dsun.rmi.dgc.server.gcInterval=3600000 -Dfile.encoding=UTF-8 -Dorg.apache.coyote.http11.Http11Protocol.SERVER=JbossSecureServer"
- Restart JBoss application server, and you should see
Serverheader is changed.
If you are interested in learning more about JBoss, then check out this course by Packt Publishing.
