During a penetration test one finding was the information disclosure of using a Tomcat webserver.
If a request with an invalid URL (e.g. [http://localhost:8080/test?info={"id":null}]), the embedded Tomcats ErrorReportValve is used and presents a default Tomcat Error page. (Spring-Boot 2.1.7+Tomcat 9.0.54)
For standalone deployment of Tomcat, we can configure it in server.xml to ,like this (under Host tag):
<Valve className="org.apache.catalina.valves.ErrorReportValve" showReport="false" showServerInfo="false" />
But for embedded Tomcat, this configuration is not possible with an application.properties file. And now we just override the ErrorReportValve.java, set the member variables showReport and showServerInfo to false. In this way, the Error page will not show the Tomcat server info, like version.
Maybe it would be a good idea to expose the properties for configuration. What do you think?
Comment From: mhalbritter
Hello, Spring Boot 2.1.7 is not supported anymore. Please upgrade to at least 3.1.x and see if this is still a problem.
Comment From: spring-projects-issues
If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.
Comment From: spring-projects-issues
Closing due to lack of requested feedback. If you would like us to look at this issue, please provide the requested information and we will re-open the issue.