English English French French Spanish Spanish German German
Geekflare is supported by our audience. We may earn affiliate commissions from buying links on this site.
Share on:

How to Hide Server & Port Info from WebSphere Error Page?

Invicti Web Application Security Scanner – the only solution that delivers automatic verification of vulnerabilities with Proof-Based Scanning™.

As a WebSphere administrator, you might be familiar with the following error page. This error page is generated when hostname/IP doesn’t match in virtual host configuration.


Have you seen this error?

It exposes the server information and port number which is considered as information leakage security vulnerability.

There are three possible ways to fix this.

Handle custom error through web server – if you are using a web server in front of WebSphere then you can handle 404 error through a web server and show some custom error page.

By showing custom error page you hide the server information and maintain the brand across the application.

Handle error page within application – let developer handle the error page within WebSphere application code and trigger the custom error page whenever 404 return code triggered.

Override the error by WAS configuration – this is the quickest way to mask the server information but has some limitation. This allows you to show the message in text format and doesn’t allow the HTML tag.

If branding is not the concern then you may consider this. Let’s go through the configuration. This configuration is on JVM so if your application is having multiple JVM’s then you got to do in all.

  • Login to WebSphere Administrative Console
  • Go to the Servers >> Server Types >> WebSphere application servers
  • Click the JVM where you want to override the error
  • Expand “Web Container Settings” and click “Web container”
  • Click Custom properties


  • Click New and Enter the Name as
  • and Value the error message you want to show. For ex:
“Sorry, requested page not found.”
  • Click OK


  • Review and save the configuration
  • Restart the JVM

Now, let’s try to access some page which doesn’t exist.


Much better, isn’t it?

If you are working in PCI DSS compliant or highly transactional environment then mostly you will be asked by security auditing team to mitigate this.

I hope this small configuration help you in hiding WebSphere server information from the error page.

Thanks to our Sponsors
More great readings on WebSphere
Power Your Business
Some of the tools and services to help your business grow.
  • Invicti uses the Proof-Based Scanning™ to automatically verify the identified vulnerabilities and generate actionable results within just hours.
    Try Invicti
  • Web scraping, residential proxy, proxy manager, web unlocker, search engine crawler, and all you need to collect web data.
    Try Brightdata
  • Semrush is an all-in-one digital marketing solution with more than 50 tools in SEO, social media, and content marketing.
    Try Semrush
  • Intruder is an online vulnerability scanner that finds cyber security weaknesses in your infrastructure, to avoid costly data breaches.
    Try Intruder