Hello, The servlet 2.5 specification at http://jcp.org/aboutJava/communityprocess/mrel/jsr154/index2.html suggests in section "SRV.5.2 Headers" ... It is recommended that containers use the X-Powered-By HTTP header to publish its implementation information. The field value should consist of one or more implementation types, such as "Servlet/2.4". Optionally, the supplementary information of the container and the underlying Java platform can be added after the implementation type within parentheses. The container should be configurable to suppress this header. Here’s the examples of this header. X-Powered-By: Servlet/2.4 X-Powered-By: Servlet/2.4 JSP/2.0 (Tomcat/5.0 JRE/1.4.1) ... This behavior is not implemented in Tomcat 6.0.20. To make it totally clear, may I suggest to return the precise Tomcat and JVM version with all the digits and the vendor such as Tomcat/5.5.28 JRE/SUN/1.5.0_12-b04) Having this headers helps a lot the development team to determine what is really running his application in test or production w/o asking to the maintenance guy who is either often unreachable or not able to answer (YES). Provide the option to remove the header through the configuration (file) or through programming (see related bugs 48004 and 48005). The servlet 3.0 specification at http://jcp.org/aboutJava/communityprocess/pfd/jsr315/index.html in the same section "SRV.5.2 Headers" says the same but I did not test for it in Tomcat 7. Thanks Olivier
This is already available in conf/web.xml - default is off since its a waste of bandwidth and a security hole. (information disclosure)
True that it's there in web.xml and even in the 5.5 version. I agree that it is a security hole IN PRODUCTION but for a development and test environment this is not a concern. Moreover you do not have the precise Tomcat version and the precise JVM version You have this header Server Apache-Coyote/1.1 and this one X-Powered-By JSP/2.1 This should be like IMHO to be really useful something such as Server Apache-Coyote/1.1 X-Powered-By JSP/2.1 Tomcat/5.5.28 JRE/SUN/1.5.0_12-b04) And if you consider this to be a security hole then the the server header is also one and should be banned too for the same reasons. Sorry to insist but the operation teams are not always what they should be and this information saves time for some development teams like mine. I am perfectly OK with a default value of "false" in web.xml to not show the header for the reasons mentioned by Tim. Thanks to consider my point of view Olivier
Note that you can modify the server header to display anything you want to. The updated X-Powered-By header has been fixed in trunk and proposed for 6.0.x
Implemented in 6.0 in r896389, is in 6.0.24 onwards.