The default favicon served by Spring Boot could be classified as information leakage, in a similar manner like Server HTTP header (see #4730) and exception error attribute (see #7872) were.

I'd consider removing the default favicon as applications that don't provide custom favicon will inevitably leak info about being powered by Spring Boot.

Comment From: wilkinsona

This is quite tempting. While we have a configuration property (spring.mvc.favicon.enabled), it's enabled by default. The docs also do not seem to mention that a default favicon will be served so some people may not be aware of the out-of-the-box behaviour.

If an application developer cares about the favicon they will provide their own. If they don't care about it I doubt there's much difference to them between serving a default icon and serving nothing.

Comment From: wilkinsona

Another benefit of removing the default favicon is that we could then also remove the spring.mvc.favicon.enabled property. It's a benefit as the property is confusing. Setting it to false does not, as the property's name might suggest, disable serving of a favicon.ico completely. It only disables serving a favicon.ico from the root of the classpath. A favicon.ico that's placed in one of the static resource locations will still be served.

Comment From: wilkinsona

We've decided to remove the default favicon.ico file, the resource handler configuration, and the property. Users who were placing a custom favicon.ico in the root of the classpath should move it to a static resource location or configure their own resource mapping.

Comment From: cardil

RIP favicon :sob:

Comment From: patkovskyi

What's the correct way to: 1. Return 404 on /favicon.ico requests 2. Return 200 with empty body on /favicon.ico requests

in Spring Boot 2.2.0+?

Note: I have spring.resources.add-mappings=false

Comment From: wilkinsona

@patkovskyi You should get a 404 by default if there are no mappings configured for /favicon.ico. To return a 200 with an empty body, you'd have to set up a mapping somehow, for example with a @ResponseBody-annotated @GetMapping that returns null.

If you have any further questions, please follow up on Stack Overflow or Gitter. As mentioned in the guidelines for contributing, we prefer to use GitHub issues only for bugs and enhancements.

Comment From: wilkinsona

@hanryusan That’s unrelated to this issue as, with or without a default favicon, the location will change if you configure a context path. In that case you should link to the favicon.