users@glassfish.java.net

How to disable unrequired header fields in glassfish 3.0.1 html responses

From: <glassfish_at_javadesktop.org>
Date: Fri, 23 Jul 2010 13:09:21 PDT

Glassfish seems to send the following header fields :

[b]HTTP/1.1 200 OK
X-Powered-By: Servlet/3.0
Server: GlassFish Server Open Source Edition 3.0.1
Accept-Ranges: bytes
Etag: W/"1090-1276886352000"
Last-Modified: Fri, 18 Jun 2010 18:39:12 GMT
Content-Type: text/html
Content-Length: 1090
Date: Fri, 23 Jul 2010 19:24:58 GMT
Connection: close


   <html>
     <body>
[...][/b]

From those fields at least the following are not required by html spec:
[b]X-Powered-By: Servlet/3.0[/b]
[b]Server: GlassFish Server Open Source Edition 3.0.1[/b]

I think I saw where I can disable [b]X-Powered-By[/b] within the admin concole gui (browser) - am I correct?
But how can I disable sending the [b]Server[/b] ?

Why I want this:
I want to secure Glassfish as much as possible. One thing it to make it as hard as possible for attackers to find out what kind of web server or application server is used. I think this is some kind of security requirement, isn't it? It would be great if it is possible to customize non standard html header fields.

Do you see any way to disable the unrequired header fields?

Thanks,
Nabi
[Message sent by forum member 'nabizamani']

http://forums.java.net/jive/thread.jspa?messageID=478447