Win a copy of Programmer's Guide to Java SE 8 Oracle Certified Associate (OCA) this week in the OCAJP forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Should I get rid of the defailt Tomcat page?

 
Timothy Sam
Ranch Hand
Posts: 751
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Are there any security concerns about leaving the default Tomcat page? Or is it ok to leave it just like that?
 
Naseem Khan
Ranch Hand
Posts: 809
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Are there any security concerns about leaving the default Tomcat page?


Not getting. leaving?

Naseem
 
Timothy Sam
Ranch Hand
Posts: 751
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
When we first install Tomcat, there is the default greeting page. I want to know if I should leave(make it stay as it is, or make no changes to) it as it is. Or should I do something about it? Thank you for your reply.
 
Ben Souther
Sheriff
Posts: 13411
Firefox Browser Redhat VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
While you should never rely soley on 'security by obscurity', it certanly can't hurt to hide every detail possible about the system you're running.

Most well written sites will provide their own 404 and 500 error pages.
Any default pages will have information about the site or company that the site was written for not the server that is being used to run the site.

So I would say Yes, get rid of that page in your production environment.
Why hand a would be cracker the make and version of the container he is trying to break into?

While you're at it, get rid of any of the apps that ship with Tomcat if you're not using them (Balancer, documentation, examples, etc..).
If you're going to use the manager app, it wouldn't hurt to rename it so someone can't just type "http://www.yourdomain.com/manager" to find out if you're using Tomcat.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic